More than 100 retirees in the Iowa Public Employees’ Retirement System received a scare on Halloween day when they discovered that their pension checks hadn’t electronically deposited into their bank accounts. The pensioners’ money, it turns out, had been diverted into different bank accounts set up by computer hackers.
The incident is a warning for public employee pension systems across the United States, including here in Texas, that retirement systems can be prime targets for cybercriminals.
The Iowa PERS breach involved “hundreds of thousands of dollars” in benefit payments for 103 retirees, says Martin Moen, deputy chief information officer for the fund. The cybercriminals used stolen Social Security numbers and birth dates of pensioners to register accounts on the member access portal of the Iowa PERS online system. The hackers then changed direct deposit information and redirected the benefit payments.
Only accounts that did not have previously established usernames and passwords for retirees’ online access were involved, Moen says. The breach occurred Oct. 18. However, fund officials didn’t learn of the incident until Oct. 31 when several of the fund’s retirees began calling to ask why their pensions had not deposited into their accounts.
“When we realized we had an issue with our member portal we shut off access to it immediately,” Moen says. “We brought the portal down, and took links to the portal off of our main website. It remained down for two days then while we worked the incident.”
The retirement fund also contacted law enforcement.
“We started with the Iowa Department of Public Safety, Department of Criminal Investigation,” Moen says. “They directed us to the FBI.”
The FBI is investigating the incident. As of Dec. 6, there was no confirmation of any arrests.
However, the FBI has been able to identify where some of the funds ended up. Moen says the cybercriminals established several accounts with a banking institution that makes it easy to create accounts online. Moen says the bank has been cooperating with the investigation.
The Iowa PERS has roughly 115,000 retirees. Fund members are employed by the state, cities, and counties or work in education and other governmental industries. Only 15 percent of the fund’s members are active and retired state employees. All 103 victims of the fund’s cyber-hack are former state employees. Because of that, Moen believes cybercriminals somehow got their hands on Social Security numbers from a source other than the pension system and then matched up the identifications with information publically available on a state database.
“There’s a state database freely available to the public with employee names, salary info and that indicates if a person is retired,” Moen says. “You can even download 660,000 records as a CSV (electronic data) file.”
Because none of the identity theft victims had registered for online account access with the fund, the computer hackers used the stolen Social Security numbers and birthdates to gain access to the fund’s member portal. Once registered, the hackers changed banking information of the retirees. The hackers registered five to 10 online accounts a day for about a month, Moen says.
To help prevent this from happening again, the Iowa PERS is establishing a multi-step authentication method of confirming a retiree’s identity for its online member portal. When a retiree logs into their member portal and changes banking or contact information, the fund emails the account holder and sends a notice via traditional postal services to verify that the retiree is the one who actually requested the change. Retirees also can no longer use Social Security numbers to register for account access. The fund also is contracting with ThreatMetrix, a California-based company that uses software technology to profile online transactions and activities to determine whether they initiate from legitimate customers or impostors.
Moen says it is important for public employee funds to have cyberthreat measures in place. He has a piece of advice for Texas funds.
“If your fund has an online member portal, make sure all members register as soon as possible,” Moen says. “If all of our members had been registered, none would have been affected by this attack.”
Professor Glenn Dietrich teaches cybersecurity at the University of Texas at Austin. The university is home to the nation’s top cybersecurity program, which spans three colleges: the College of Business, the College of Engineering and the College of Sciences. The curriculum includes 20 classes. Dietrich also founded the Center for Infrastructure Assurance and Security.
He says Texas pension administrators can expect to see more cybersecurity threats. Hackers are continually searching for companies with weak security to steal sensitive information, usually for profit.
He has some basic tips for Texas public pension administrators looking to ensure their funds’ networks are protected:
- Protect networks with a firewall, a software program that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules.
- Install antivirus software. The software is designed to detect and destroy malicious computer programs that modify other computer programs and inserts their own code. The software will seek out standard viruses already known, Dietrich says, not new ones. The larger antivirus software companies such as Norton usually offer updates.
- Install anti-malware software. Although anti-malware software also helps protect against viruses, he recommends buying anti-malware separately from anti-virus software. Microsoft offers a free program on its website. Malware can help detect keyloggers, which are software that can secretly be installed on a computer to track personal and sensitive information such as Social Security numbers, passwords and corporate data as it is typed on a keyboard.
- Establish unique login and passwords for all systems. Dietrich suggests using passphrases instead of passwords. If possible, use passphrases in conjunction with custom IDs for logging into computer networks.
- Encrypt files. Encryption tools are used to scramble data such as email addresses, passwords and other personal and sensitive information. Microsoft also offers a download on its site.
 |
| Allen Jones |
Allen Jones is the communications manager for the Texas Association of Public Employee Retirement Systems. Email him at allen@texpers.org or call 713-622-8018.
No comments:
Post a Comment