San Francisco retirement program SFERS suffers data breach

The San Francisco Employees’ Retirement System (SFERS) has suffered a data breach after an unauthorized person gained access to a database hosted in a test environment.

SFERS manages the benefits program for active and retired employees of San Francisco, California.

In a data breach notification filed today, SFERS stated that one of their vendors had set up a test environment that included a database containing the information for approximately 74,000 SFERS members.

On March 21, 2020, the vendor learned that the server had been accessed by an unauthorized third-party on February 24, 2020. They subsequently told SFERS on March 26, when an investigation was started.

"On March 21, 2020, 10up Inc. learned that this server had been accessed by an outside party on February 24, 2020.  The vendor promptly shut down the server and began an investigation.  The vendor found no evidence that the information of SFERS members was removed from its server, but at this time, it cannot confirm that the information was not viewed or copied by an unauthorized party.  On March 26, 2020, the vendor notified SFERS of the server breach and both SFERS and the vendor continue to investigate the potential exposure of data," the data breach notification states.

While SFERS states that no Social Security Numbers or bank account information was contained in the breach, there was enough personal information exposed that could be used by threat actors in attacks.

According to the notification, the types of information that was exposed is different depending on whether a member is retired or if they had registered on the web site.

The leaked information for all members includes a member's name, address, date of birth, and beneficiary information.

Retired members also had IRS Form 1099R information (excluding SSN) and the direct deposit bank account routing numbers exposed.

Finally, if a member had registered at the site, the leaked information would have included their login name and security questions and answers.

As the test environment used an old database, the data exposed is from no later than August 29th, 2018.

What should SFERS members do?

SFERS is offering all exposed members a complimentary one-year membership of Experian’s IdentityWorks monitoring service.

All members should immediately take advantage of this subscription to monitor their credit history and other information that may be exposed on the dark web.

As the exposed information can be used in phishing attacks, especially the security questions and answers, all affected members should be on the lookout for unusual emails.

If you receive an email claiming to be from SFERS and prompting you to enter your credentials or other sensitive information, it is advised that you contact SFERS directly to confirm the legitimacy of the email.