This week the San Francisco Employees’ Retirement System (SFERS) revealed a data breach that affected more than 70,000 of its members.
The incident, SFERS reveals, involved 10up Inc., one of the vendors that works with the retirement program to provide online access to their account information for SFERS members.
On March 21, the vendor discovered that as of August 29, 2018, an unknown party had accessed a server that included a database with information on about 74,000 SFERS member accounts, among others.
10up Inc. immediately shut down the server, and launched an investigation. While there is no evidence that any data pertaining to SFERS members has been removed from the server, it can not confirm that the perpetrators have not accessed or copied the data, according to the vendor.
Although no social security numbers (SSN) and bank account numbers were stored on the server, the retirement system announced that a large amount of other data was released, with both active and retired SFERS members affected.
The breached database contained the following data from active SFERS members: full name and home address , date of birth and full name , date of birth and relationship with the designated recipient. If the member was registered on the SFERS website, their username and questions and answers regarding security were also violated.
For retired members, the leaked data includes full name and home address , date of birth, first name , date of birth, and relationship to the designated recipient, IRS Form 1099R details, and bank ABA (routing) number for direct depositors. Also exposed were username and security questions and responses from those with accounts on the SFERS web site.
“The server was locked 10up within hours of discovering the potential data breach. For all members who log in to the SFERS website, SFERS has implemented a password reset requirement, “the retirement system also notes.