Participant Data at Community Colleges, Public Schools Exposed in Breach at TPA
A third-party administrator of 403(b) and 457(b) plans experienced a cyber breach last month, exposing sensitive information of more than 48,400 retirement plan participants.
Carruth Compliance Consulting Inc., a third-party administrator that handles 403(b) and 457(b) retirement savings for many school districts, has suffered a data breach, exposing the data of more than 48,400 participants.
At least 12 community colleges and public schools that use Carruth’s services have been impacted, according to several alerts on the Maine attorney general’s website; the state requires notification if any residents were affected by a breach.
A letter sent to affected participants stated that on January 13, schools were notified by Carruth that it experienced a data security incident in which portions of its computer network were accessed by an unauthorized party.
Carruth reported that, upon learning of the incident, the company began working with third-party specialists to investigate the activity and then notified the FBI. Carruth’s investigation determined that personal information may have been acquired without authorization on or about December 21, 2024, but Carruth could not identify affected individuals.
Information potentially affected may have included names, Social Security numbers and financial account information. In more limited circumstances, the information could include driver’s license numbers, W-2 information, medical billing information (but not medical records) and tax filings.
Carruth reported that if participants had provided the personal information of beneficiaries, their information may also have been affected in this incident.
The schools wrote in letters to affected participants that they are working to identify all current and former employees whose personal information was shared with Carruth and sufficient contact information to notify them about the incident.
According to the Maine AG’s site, all of the schools impacted are located in Oregon, including Gladstone School District, Chemeketa Community College, North Santiam School District, North Wasco County School District, Jefferson School District and Klamath County School District, Linn Benton Community College, Perrydale School District, Junction City School District, Southern Oregon Educational Services District, Greater Albany Public School District and Lincoln County School District.
Seattle Public Schools also released an FAQ with more information about the breach.
Carruth did not immediately respond to a request for comment.