Investigators are still trying to determine how cyber-thieves stole hundreds of thousands of dollars in pension benefits from retired Iowa public employees, but it’s likely they first obtained Social Security numbers and birth dates from other sources, says a computer security expert.
“What happened was pretty clever on the attackers’ part,” said Doug Jacobson, a professor of computer engineering and director of Iowa State University’s Information Assurance Center. “My guess is that they had personal identifying information and then they checked various places to see if they had an account.”
In an effort to bolster security, the Iowa Public Employees’ Retirement System, which provides pensions to 115,000 retirees, said Monday it is no longer accepting Social Security numbers for retirees registering for online account access. In addition, the system is monitoring all new online registrations and failed log-in attempts.
The breach was uncovered last week when IPERS learned that 103 retirees’ accounts had been compromised in mid-October. In each case, the money was stolen from accounts owned by retirees who had not previously established online account access, said IPERS’ spokeswoman Judy Akre. The online access was used to redirect direct deposit information to a different financial institution.
Investigators have determined that no additional accounts have been compromised, although hundreds of thousands of dollars were stolen, Akre said. The Iowa attorney general’s office is working to find the missing funds, and some money has already been recovered, she added. Meanwhile, benefit payments have been reissued to the correct financial institutions so retirees can receive their pensions
The online account system is widely used by IPERS’ retirees with only 3 percent still receiving paper pension checks in the mail.
Akre said IPERS is working with Iowa-based agents of the FBI as its continues its investigation, as well as with state government’s Information Security Office.
“We have a lot of people looking at it right now,” she remarked, although they have not narrowed the investigation to any particular country, individual or group.
Because of major cybersecurity breaches of consumer data that have been reported nationally — such as the Equifax case that affected as many as 143 million Americans — it’s not surprising that criminals have obtained personal identifying information about thousands of Iowans, said ISU’s Jacobson. The information could be cross-checked with online sites to determine if any were former Iowa public employees who might be receiving pension checks, he added.
The IPERS’ breach shows that it’s important for consumers to create their own online accounts for credit cards, pension benefits and other personal financial accounts. “Even if you never log in again after that first time, it at least prevents somebody else from getting into it,” Jacobson said.
The Iowa State computer expert also said he’s not sure IPERS’ was at fault for the breach because the Iowa public employees’ pension system handled its computer security in a standard manner.
“We used to think that a Social Security number was a very private, personal piece of information. But that is changing to due the breaches. But now they need to re-evaluate that practice, even though it was widely accepted six months ago as a way to identify somebody over the internet,” Jacobson said.
One alternative to a Social Security number would be a personal identification number, or PIN, sent through the mail. Another approach would be to use a two-factor authentication for passwords through an alternative method of delivering a secret code, such as a text message, Jacobson said.
Brad Hudson, a legislative lobbyist for the Iowa State Education Association, is vice chair of the IPERS’ Benefits Advisory Committee. He said the panel discussed IPERS’ cybersecurity at its last meeting with the realization that criminals are increasingly trying to compromise the pension system’s computer system.
“If you talked with us 10 years ago, we would probably would have said, ‘If we get a computer (security) issue.’ Now we say, “When will it happen and how can we limit that?'” Hudson said. “We are going to try to beef up the front end of the system to try to make sure this doesn’t happen in the future. IPERS is working on that now, and it will be an issue in the future.”
Danny Homan, president of Council 61 of the American Federation of State, County and Municipal Employees, is praising IPERS’ staff for limiting the breach to 103 retirees’ accounts. “I think it speaks volumes for the security that we have there,” he added.
The quick work by IPERS’ staff after learning the accounts had been compromised is an example of why proposals to privatize Iowa’s public employees’ pensions are a bad idea, Homan contends. Some Republican legislators have explored the idea of shifting newly hired public employees away from a defined benefit pension system that offers a monthly retirement check to a defined contribution system that doesn’t guarantee a specific retirement benefit.
“IPERS is doing a good job and the system is very sound,” Homan said. He suggests the Equifax breach is evidence that private companies wouldn’t take the security of public employees’ pension checks as seriously as IPERS’ officials have done.