Cyberattacks and Data Breaches: How Safe Are Your Retirement Accounts?

Thanks to the Facebook/Cambridge Analytica scandal, unearthed in March 2018, Americans' awareness of privacy, data breaches and overall security has heightened. The London-based political consulting firm, which filed for bankruptcy two months later, compromised some 87 million Facebook users’ personal data and has caused concern over how much of their personal information is floating around “out there.” 

A 2017 Identity Fraud Study by Javelin Strategy & Research reported 15 million people were victims of identity theft in 2016, with the losses totaling $16 billion. While most identity theft targets credit cards, tax returns or bank accounts, attempts to access retirement funds rises every year. For many plan participants, a retirement plan may be their largest asset outside of home equity. 

So, how susceptible are 401(k)/403(b) plans to cyberattacks? For many of the largest providers, it is not uncommon for them to experience as many as 3 million fraudulent attempts every day. Cyberattacks are a constant threat to retirement plan recordkeepers.

Technology, encompassing social, productivity and shopping apps, provides daily conveniences that could be difficult to live without in the 21st century. For the conveniences, users sacrifice privacy and personal data. The amount of data we relinquish, knowingly — or in most cases, unknowingly — is almost beyond comprehension. And, how the data is to be used and protected is hidden in lengthy user agreements that we blindly accept. 
 
In addition to the amount of data that we knowingly disclose, there is even more personal information that is unknowingly shared or stolen through large-scale breaches. Target, Home Depot and Lord & Taylor are just a few retailers whose data breaches have placed customers’ dates of birth, Social Security and credit card numbers on the dark web, and there is enough information for cyber criminals to do serious damage.

Qualified retirement plans, including 401(k)/403(b), have features built in to help restrict fraudulent access to retirement funds. For example, most plans do not allow in-service withdrawals when participants are under 59 ½, the normal retirement age. Recordkeepers, too, have safeguards in place to ensure unauthorized persons cannot direct monies be transferred to a different account or mailed to an address other than your address of record. Every year, the industry spends tens-of-millions of dollars to stay ahead of the increasingly sophisticated attacks.

Alternatively, participants can take steps to thwart fraudulent attempts to access their retirement plans. The most effective way for participants to take advantage of the recordkeepers’ built-in safeguards is to register their account online. The majority of retirement plan providers now offer dual-authentication features that dramatically cut down the probability of fraudulent activity. In order for these features to work, the participant must have registered their account online. Those participants eligible for normal distributions but do have not have access to their account online are the most susceptible. 

In the event a participant reports their identity has been stolen, here are the steps they should take:

Change all passwords and ensure they’re strong. There are a number of free or pay-for-service password management software applications available that encrypt strong, unique passwords for each site you visit. LastPass, Dashlane and Sticky Password are just a few.

Contact the Federal Trade Commission (FTC) and file a police report.

Put a freeze on credit. A credit freeze does not stop fraudulent attempts to access accounts, but it limits who can view your credit report. In the event an unauthorized person has their information and tries to establish a new line of credit, an issuer will not be able to view the credit history and will be less likely to issue additional credit. This is typically offered at no cost to identity theft victims. Freeze the credit reports with all three credit rating agencies and know the thawing process.

Enroll in credit monitoring. These services will help track any new accounts that may be opened fraudulently. Also, services are typically offered at no cost for identity theft victims.

Call the plan provider and notify them of the breach. Request additional layers of authentication and stricter requirements for disbursing funds.

The website identitytheft.gov is a great resource, with steps to create and track a recovery plan to assist in the process. With one-in-four Americans having experienced some sort of identity theft, it is important to know it doesn’t have to be a debilitating experience. 

If you have any questions about how to keep your information safe, please contact any of our advisors


While this article addresses generally held investment philosophies of Fi3 Advisors, it does not represent a specific investment recommendation for any individual client or prospective client. Please consult with your advisor, attorney and accountant, as appropriate, regarding specific advice. Information has been obtained from a variety of sources believed to be reliable but not independently verified. Past performance does not indicate future performance.