Cybersecurity Threats to Retirement Systems in 2024: What You Need to Know
As we approach the new year, TEXPERS revisits the biggest cybersecurity stories of 2024, highlighting the escalating cyber threats that have significantly impacted retirement systems.
This year, global cybercrime damages are projected to reach $9.5 trillion, underscoring the critical need for enhanced cybersecurity measures across all sectors. In the financial services industry, the average cost of a data breach has risen to $5.72 million, reflecting the substantial financial risks associated with cyber incidents.
These alarming statistics emphasize the importance of robust cybersecurity strategies to protect sensitive financial information and ensure the integrity of retirement systems.
JP Morgan Chase Data Breach
One of the most significant incidents of 2024 was a data breach at JP Morgan Chase. This breach affected over 451,000 retirement plan participants, exposing sensitive information such as names, addresses, Social Security numbers, and bank details. The root cause was a software flaw that went undetected from August 2021 to February 2024. Although the breach was not caused by a direct cyberattack, it highlighted vulnerabilities in access control systems.
Read more: Daily Security Review
MOVEit Cyberattack
The MOVEit file transfer application became a target for cybercriminals, compromising retirement systems across at least 10 states. Public pension systems like the California Public Employees' Retirement System (CalPERS) and the California State Teachers' Retirement System (CalSTRS) were severely impacted. Together, these breaches affected nearly 1.2 million participants and beneficiaries. Additionally, major record keepers such as Fidelity Investments and TIAA were also impacted, compromising data for millions of retirement account holders.
Learn more: Pensions & Investments
National Public Data (NPD) Breach
Although not exclusively targeting retirement systems, the National Public Data (NPD) breach compromised up to 2.9 billion records, including Social Security numbers, names, and addresses. This breach posed significant risks to financial security for countless individuals, including those with retirement accounts. The sheer scale of the incident raised alarms about the need for more robust data protection measures.
Details available at: MarketWatch
Infosys McCamish Systems Breach
The breach at Infosys McCamish Systems, a provider of solutions for insurance and financial institutions, affected clients of companies like Bank of America and Fidelity Investments Life Insurance. Sensitive information, including Social Security numbers, dates of birth, and financial account details, was exposed due to unauthorized access between October and November 2023. Notifications to affected individuals extended well into 2024.
Find out more: McAfee Blog
Financial Business and Consumer Solutions (FBCS) Breach
In February 2024, a breach at FBCS, a debt collection agency, compromised data for over 4 million individuals. Although not a direct retirement system breach, the exposed information—including names, addresses, Social Security numbers, and health insurance details—could have broader financial security and planning implications.
More information: McAfee Blog
Change Healthcare Ransomware Attack
In October, the U.S. Office for Civil Rights revealed that threat actors breached Change Healthcare's system in February as part of a ransomware attack. This breach resulted in unauthorized access to the private health information of more than 100 million people, marking the largest-ever healthcare data breach reported to U.S. federal regulators.
The ransomware group ALPHV, also known as BlackCat, claimed responsibility for the attack. During a Senate hearing in May, the CEO of UnitedHealth Group, Change Healthcare's parent company, disclosed that a ransom of $22 million in Bitcoin had been paid to secure the release of stolen data. The attack caused significant disruption, delaying prescription deliveries and resulting in a business impact estimated at $705 million.
While this breach did not directly target retirement systems, it underscores the interconnected nature of financial and health systems. Healthcare data breaches can impact retirees' financial security, as compromised information can lead to identity theft, fraudulent activities, and long-term economic repercussions.
Learn more: TechRepublic
Lessons Learned
These breaches highlight the urgent need for Public Employee Retirement Systems to bolster cybersecurity measures. Here are some critical steps these organizations can take, as recommended by the Cybersecurity and Infrastructure Security Agency (CISA) and other leading experts:
- Invest in Advanced Security Infrastructure: Implement robust firewalls, intrusion detection systems, and end-to-end encryption to protect sensitive data.
- Conduct Regular Risk Assessments: Periodically evaluate vulnerabilities in IT systems and address potential weak points before attackers can exploit them.
- Develop a Comprehensive Incident Response Plan: Ensure a well-documented and practiced response strategy to minimize damage and downtime during a breach.
- Enhance Employee Training: Educate staff on recognizing phishing attempts, social engineering, and other common cyber threats.
- Engage in Collaborative Security Efforts: Partner with industry groups, government agencies, and cybersecurity firms to stay informed about emerging threats and best practices.
- Implement Multi-Factor Authentication (MFA): Require MFA for all access points to sensitive financial and member data.
By adopting these measures, Public Employee Retirement Systems can significantly reduce their exposure to cyber risks and protect the financial futures of their participants. For additional resources on cybersecurity best practices, visit the National Cybersecurity Alliance and CISA's Cyber Essentials.
What steps is your organization taking to enhance cybersecurity? Let us know in the comments below!
About the Author:Allen Jones is the director of communications and event marketing for TEXPERS. He joined the Association in 2017. Before TEXPERS, he worked in the news media industry, producing content for newspapers, magazines, and online publications and leading newsrooms as an editor and publications manager. [email protected]