[BreachExchange] Pension Funds – Another Glitch in the Matrix?

Destry Winant destry at riskbasedsecurity.com
Fri Sep 20 10:45:36 EDT 2019


On the Cyber Risk Analytics research team, we are always on the
lookout for patterns that may link together seemingly unrelated
breaches. In June of last year we reported on just such a pattern
occurring on the Click2Gov payment processing system. Unfortunately
the campaign targeting those vulnerable installations continued
throughout the summer, with at least 48 cities and towns – and most
likely more – victimized by the attackers.

This week we’re seeing what may be the beginnings of another campaign,
this time targeting pension funds. It is still too early to call this
a ‘pattern’ – but the contours of two recent events suggest there may
be a connection.

On September 5th, the Oklahoma Law Enforcement Retirements System,
known as OLERS, shared the news that hackers were able to divert
approximately $4.2 million dollars out of the pension fund. Details on
the event are scarce. What is known is that the theft itself took
place on August 26th and was the result of attackers gaining access to
an “employee’s email account.” Other information around the event is
so vague that it’s not clear whether that email account belonged to an
OLERS employee or an outside investment manager, when the compromise
of the email account occurred, how attackers managed to use the access
to move money, or whether any personal or sensitive information was
exposed in the process.

Just 6 days after the OLERS announcement, news surfaced that the City
of Austin Employee’s Retirement System, known as COAERS, had also been
breached. COAERS disclosed that the unauthorized access occurred on
August 6th and once again, it was an employee’s email account that was
compromised. Unlike the OLERS event, no funds have been reported
stolen. This time a breach notification obligation was triggered as
personal information held in the email account may have been accessed.
As yet, no evidence of abuse of the personal information has come to

So why might these be connected? Both attacks were aimed at public
employee pension funds, both went after email account access, and both
seemingly occurred within weeks of the other. Were these coordinated
events? It’s difficult to know based on the facts reported so far, but
there are enough similarities to catch our researcher’s eye and lead
us to wonder if we’ll be seeing additional incidents from other public
pension systems.

More information about the BreachExchange mailing list