Thursday, August 9, 2018

Feds arrest man for allegedly laundering stolen money belonging to Texas pensioners

Photo: pexels.com

Experts suggest pension funds implement security protocols, educate members


By Allen Jones, TEXPERS Communications Manager

Federal and state authorities recently arrested a man they claim laundered thousands of dollars stolen from pensions belonging to former state employees.

The case is a warning to Texas public pension system administrators and trustees that the personal identification of active and retired plan participants are prime targets for criminals.

Federal law enforcement arrested Lukman Shina Aminu, 34, in Manchester, New Hampshire, July 12 for allegedly laundering thousands of dollars from multiple fraudulent schemes, including money stolen from accounts belonging to retirees of the Employees Retirement System of Texas. Aminu is charged with one count of conspiracy to commit money laundering and was to be transferred from New Hampshire to the Austin Division of the Western District of Texas for trial. If convicted, he could receive up to 20 years in federal prison. 

“Personal information is being compromised at a record-breaking rate,” says Eva Velasquez, CEO and president of the Identity Resource Center in an email to TEXPERS. 

Click image to enlarge.
The nonprofit center assists victims of identity crimes in remediating their cases; broadening public education and awareness of identity crimes including data breaches, cybersecurity, scams/fraud and privacy issues. The center helps approximately 10,000 victims of identity theft every year through its call center and more than 800,000 individuals via its free information on its website. 

Although the center isn’t involved in the case involving the Employees Retirement System of Texas, Velasquez says institutions and organizations including public pension plans that house personal information could have their systems compromised through a variety of methods (hacking, phishing, employee negligence and theft, for example). But cybercriminals aren't just targeting institutions. Individuals are also self-compromising their information, Velasquez says. 

“This can occur through a scam telephone call, phishing, smishing, and even oversharing on social media,” she says.

The federal complaint doesn’t indicate how the private information of the pensioners was stolen and only charges the suspect with money laundering. TEXPERS attempted to contact ERS, however, officials were unable to respond to questions about the incident due to an ongoing investigation. Aminu's arrest is part of a continuing investigation by the FBI and the Texas Department of Public Safety’s Public Integrity Unit.

Here is what is known. Beginning in June 2017, personally identifiable information of former state employees was used to make changes to their accounts in the retirement system’s internet portal, according to a federal complaint filed in Austin. Bank deposit information of the retirees on file in the system was changed to re-route pension payments to a debit card controlled by the suspected money launderer. 

Money laundering is a process by which criminals disguise the original ownership and control of funds by making stolen funds appear to have come from legitimate sources. In this instance, Aminu allegedly laundered the retirement payments of the pensioners by using the debit card for cash withdrawals and to purchase money orders used for personal expenses. Federal officials also allege that Aminu used the stolen money to buy used vehicles to be shipped overseas to Nigeria and Benin for resale. 

The retirees from the Texas public pension system aren’t the only ones that had their funds stolen, either. The suspect allegedly received multiple transfers from victims of other schemes on other debit cards that had been opened using their personally identifiable information, according to the US. Department of Justice criminal complaint against Aminu.

The takeaway for those managing public employee pension plans and those who service investment funds: cybercriminals want the information and money the organizations have. Velasquez says pension plans should be diligent in securing sensitive member information and help pensioners understand how they can help secure their private data.

Financial services organizations such as public pension systems and investment firms have a wealth of information that they keep on hand about their members that thieves would find attractive, Velasquez says. She is right about the sensitive data public pension systems maintain. Public pension plans provide former state and local employees with stable incomes, and that requires lots of personal data to manage investments and issue payments. Systems maintain pensioners’ Social Security numbers, birth dates, home addresses, bank account numbers, and government identification. And they might not be the only entities with the sensitive information. Third-party vendors such as investment brokers and actuaries also might be in possession of personal identification belonging to pensioners. 

Click image to enlarge.
More than 2.6 billion data records were compromised worldwide in 2017, according to digital security company Gemalto. The company tracks data breaches and maintains its Breach Level Index online. Every day, 4.7 million records are lost or stolen, or roughly 198,207 records every hour, according to the security firm.

Although the company reports tracking an 11 percent drop in the number of data breaches from 1,981 in 2016 to 1,765 in 2017, security incidents are getting faster and broader in scope. The number of records breached every day nearly doubled between 2016 and 2017. 

A significant factor in the loss of digital records is the abundance of poor security practices, according to the firm’s report. When tracked by industry, 12 percent of breach incidents in 2017 were among financial institutions, 11 percent were among government agencies, and 1 percent were among nonprofits – all areas public pensions systems could be classified under.

Organizations should take steps to ensure their digital data are secure, says Velasquez, the Identity Theft Resource Center’s CEO. She stresses that public pensions follow any government regulations for data security as well as develop procedures to secure data networks to help limit breaches.

“Financial institutions are governed by myriad federal regulations so of course, they should be following those,” Velasquez says. “[National Institute of Standards and Technology, a non-regulatory of the U.S. Department of Commerce,] also lists best practices for collecting, housing, storing and disposing of sensitive data.”

NIST provides a Cybersecurity Framework, which consists of industry standards to manage cybersecurity-related risk. The framework’s common practices offer organizations “prioritized, flexible and cost-effective approaches to help promote the protection and resilience of critical infrastructure and other sectors relevant to the economy and national security,” according to NIST’s website. Following the NIST cybersecurity guidelines is not required by law, and the guidelines are customizable to individual organizational needs. 

Guidelines suggest creating electronic data security plans; training users, administrators, and management in security practices; instituting an effective password management program; keeping virus protection software up to date; and minimizing access points. Pension systems might offer two-factor authentication on internet portal logins that confirms users’ claimed identities by using a combination of two different verification methods such as a password and an answer to a question they know. Another example is to include the user repeating back something that a login portal sent to them through email or text to their smartphone. 

Pension systems also might consider hiring an information technology expert to work with on a full- or part-time basis. IT professionals maintain computer systems for companies and other organizations. It is a growing job field, according to Dennis Bonilla, executive dean of the College of Information Systems and Technology School of Business and College of Criminal Justice at the University of Phoenix. 

“People are often unfamiliar with cybersecurity job titles related to cybersecurity in the IT field,” he says. “They include penetration tester, ethical hackers, computer security incident responders, security architects, security consultants, among other terms. Many people haven’t even considered a career in cybersecurity. There are plenty of jobs out there.” 

In a University of Phoenix cybersecurity survey, only a third of U.S. adults are confident that their companies are prepared to combat hackers. Many indicated it was because their organizations didn’t have an expert on staff. Bonilla said that doesn’t mean public pension systems need to run out and hire a new staff member. It could mean they consider contracting with a cybersecurity security firm, seek out a consultant and ensure their third-party service providers have cybersecurity experts securing sensitive data. 

Although cybercriminals are often targeting financial institutions, there is another group of people who are usually in the crosshairs of criminals seeking data they can use to steal money: older adults in retirement.

“The elderly are a high-risk population when it comes to falling victim to scams, fraudsters and identity thieves,” says Velasquez, the Identity Theft Resource Center CEO.

Click image to enlarge.
She says the Federal Trade Commission and research firm Javelin Strategy and Research offer some insight into how many people are victims of ID theft. Last year, there were 16.7 million victims of identity fraud in the U.S., according to 2018 Identity Fraud: Fraud Enters a New Era of Complexity, a report issued by Javelin Strategy and Research. Last year, a record number of identity thefts occurred following a previous record set in 2016.

In the U.S., criminals stole $16.8 billion last year. Companies notified 30 percent of U.S. consumers of a data breach during 2017, which is an increase of 12 percent from the year prior. And nationwide, for the first time, more Social Security numbers were exposed than credit card numbers, according to Javelin’s report.

In Texas, there were 33,454 complaints of identity theft reported to the Federal Trade Commission’s Consumer Sentinel Network. The commission ranks Texas 12th in the U.S. in the number of ID theft complaints.

Although the data doesn’t indicate the targeted age groups, experience tells Velasquez that older Americans are frequently subject to being tricked into sharing sensitive information or are just not securing their digital identifications.

There are two distinct vulnerabilities within the retiree population, Velasquez says.

“Some older citizens have more savings at their disposal and higher credit ratings compared to other demographics,” she says. “It has been our experience that they are also less savvy with digital platforms and often more trusting when engaging in online transactions.”

Click image to enlarge.
The other segment of the community may be relying on others for their care, she adds. They may not have the means to make critical financial decisions and stay on top of things like good identity hygiene.

Helping pensioners understand how to protect the data they maintain on their personal computers and electronic storage devices might be a service retirement systems provide to potentially reduce private information from falling into the hands of criminals looking to hack into a fund’s data network. Pension systems might consider publishing personal data security tips on their websites, email how-to articles on personal cybersecurity to their pensioners, or hosting internet security talks for their local pension members to attend.

Unfortunately, incidents such as what happened to the state plan and its retired members are becoming common in the realm of cybersecurity. However, with attentiveness on behalf of a pension fund’s administrators, the frequency and scope of incidents can be minimized.

Additional Resources

NIST website provides a list of resources that describe sector best practices. Here are a few resources public pension plan trustees and administrators might want to check out:
Communications
Financial Services
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)