[BreachExchange] San Francisco retirement program SFERS suffers data breach

Destry Winant destry at riskbasedsecurity.com
Thu Jun 4 10:15:30 EDT 2020


The San Francisco Employees’ Retirement System (SFERS) has suffered a
data breach after an unauthorized person gained access to a database
hosted in a test environment.

SFERS manages the benefits program for active and retired employees of
San Francisco, California.

In a data breach notification filed today, SFERS stated that one of
their vendors had set up a test environment that included a database
containing the information for approximately 74,000 SFERS members.

On March 21, 2020, the vendor learned that the server had been
accessed by an unauthorized third-party on February 24, 2020. They
subsequently told SFERS on March 26, when an investigation was

"On March 21, 2020, 10up Inc. learned that this server had been
accessed by an outside party on February 24, 2020.  The vendor
promptly shut down the server and began an investigation.  The vendor
found no evidence that the information of SFERS members was removed
from its server, but at this time, it cannot confirm that the
information was not viewed or copied by an unauthorized party.  On
March 26, 2020, the vendor notified SFERS of the server breach and
both SFERS and the vendor continue to investigate the potential
exposure of data," the data breach notification states.

While SFERS states that no Social Security Numbers or bank account
information was contained in the breach, there was enough personal
information exposed that could be used by threat actors in attacks.

According to the notification, the types of information that was
exposed is different depending on whether a member is retired or if
they had registered on the web site.

The leaked information for all members includes a member's name,
address, date of birth, and beneficiary information.

Retired members also had IRS Form 1099R information (excluding SSN)
and the direct deposit bank account routing numbers exposed.

Finally, if a member had registered at the site, the leaked
information would have included their login name and security
questions and answers.

As the test environment used an old database, the data exposed is from
no later than August 29th, 2018.

What should SFERS members do?

SFERS is offering all exposed members a complimentary one-year
membership of Experian’s IdentityWorks monitoring service.

All members should immediately take advantage of this subscription to
monitor their credit history and other information that may be exposed
on the dark web.

As the exposed information can be used in phishing attacks, especially
the security questions and answers, all affected members should be on
the lookout for unusual emails.

If you receive an email claiming to be from SFERS and prompting you to
enter your credentials or other sensitive information, it is advised
that you contact SFERS directly to confirm the legitimacy of the

More information about the BreachExchange mailing list