Retirement Clearinghouse LLC, an industry leader in driving forward the automatic portability of retirement plans, has alerted more than 10,500 individuals that their personal data, including individual retirement account numbers, may have been compromised.

The organization alerted individuals with written notice, dated May 12, that their information may be at risk for fraud, according to public filings in the states where they are located.

“We identified that between March 15 and 16, 2023, a small number of files were at risk of access without authorization,” the firm wrote in the letter. “Because of this, we took measures to ensure the security of the files and notify potentially affected individuals about this matter.”

According to the firm, the files included people’s names, Social Security numbers and IRA account numbers held by Matrix Trust Co., a division of Broadridge Financial Solutions that provides services including IRA administration, rollovers and third-party administration recordkeeping. The letter sent by Charlotte, North Carolina-based Retirement Clearinghouse offered a complimentary, three-month membership to an identity protection product to help monitor identity theft or fraud.

“The phishing incident did not affect the network that the firm is establishing with large retirement recordkeepers to reunite small 401(k) balances with their owners,” Retirement Clearinghouse CEO Spencer Williams said in an emailed statement. The clearinghouse also wrote in the letter that it is “evaluating additional safeguards to mitigate recurrence of this type of event.”

Broadridge wrote in a statement that it is “coordinating with Retirement Clearinghouse in their efforts to inform all impacted individuals of this situation and the services being offered to protect their data.” 

Ignites first reported the breach notifications.

Protection of consumer information within retirement savings plans has been a key focus for the industry in recent years, with the Department of Labor’s Employee Benefits Security Administration issuing cybersecurity guidance, tips and best practices regarding retirement benefits in April 2021. The SPARK [Society of Professional Asset Managers and Recordkeepers] Institute has also been focused on improving cybersecurity in the space, including a November 2022 plan sponsor and adviser guide to cybersecurity best practices.

“We see the cyber breaches across our lives almost every day; we have, in fact, gotten immune to new news,”  says Jay Gepfert, CEO of DOL Cybersecurity LLC, which provides third-party evaluation of the DOL’s cybersecurity guidelines.

Gepfert notes that there are two levels of potential breaches: a “breach by the recordkeeper directly” and a “breach into an account due to participant fault.” He notes that his firm’s research shows that more than 75% of breaches come from individual human error, usually due to one of the various methods to gain access being compromised.  

“Most of the large, national recordkeepers have for years spent large amounts of money on their cyber systems and procedures,” Gepfert says. “This includes both from a technical perspective and training of employees on how to handle the expanding volume of attempts to gain access. … The real weak point for gaining access is through employees and participants.”

The Retirement Clearinghouse’s auto-portability network has brought together retirement recordkeepers, retirement solutions providers and plan sponsors to improve auto-portability among retirement plan participants and reduce savings leakage. The network includes financial firms such as Empower, Fidelity Investments, TIAA and Vanguard and represents about 62 million workers and 139,000 employer-sponsored retirement plans. 

According to the public filings, Retirement Clearinghouse saw suspicious activity on one email account on March 15 and 16 and alerted the organization most likely to be affected by the breach. After an investigation, Retirement Clearinghouse reported the breach and began contacting participants with the offer of complimentary use of Experian’s IdentityWorks product to detect and resolve identity theft. The firm also provided the individuals with information on how to place a fraud alert and credit freeze on their finances and with contact details for national consumer reporting agencies.

The states involved in the breach included Maine, Maryland, New York, North Carolina and Rhode Island, as well as Washington, D.C., according to the public filings.

Retirement cybersecurity expert Gepfert notes six key tactics to help people avoid becoming part of the 75% of human mistakes that let in bad actors. They are: changing privacy settings on phones and computers; keeping software applications and operating systems up-to-date; creating strong passwords; using two methods of verification; learning about phishing email scams; and not sharing login information with other individuals.

Gepfert expects more cybersecurity guidance on retirement plan protection coming from the DOL in the near future. That is in part because plan sponsors are still in the process of reacting to the initial guidance, and further nudges may be needed for the guidance to “run downhill.”