More than 48,400 people enrolled in the 403(b) and 457(b) retirement plans of 12 public school districts and community colleges were victims of a cyber breach that leaked their personal information, according to notices filed by the educational institutions with the Maine Attorney General’s Office.
The cyber thieves accessed the data without authorization by hacking the computer systems of Carruth Compliance Consulting, a third-party service vendor that the schools used to administer their 403(b) and 457(b) retirement savings plans, the filing said.
The stolen personal data included their names and a combination of their Social Security numbers and financial account information.
In more limited circumstances, the pilfered data also included drivers’ license numbers, W-2 information, medical billing information and tax filings.
Carruth Compliance determined that the hack occurred between Dec. 19 – Dec. 26, during which time files were copied from their systems. When the firm became aware of suspicious activity, it began working with third-party specialists to investigate what happened and notified the Federal Bureau of Investigation.
It notified the affected educational institutions on Jan. 13, the filing said.
CCC did not respond to an email about whether other educational institutions outside the 12 that reported the incident to the Maine Attorney General were affected.
In a notice posted on its website, the company provided information about the cyber event and its response.
“The confidentiality, privacy and security of information in our care is among our highest priorities,” the notice said.
Hardest hit
Linn-Benton Community College, a public community college located in Linn County, Oregon, and Benton County, Oregon, was hit the hardest by the hack. Of the total 48,419 individuals affected, 15,008 were participants in LBCC’s retirement savings plans.
“This incident impacts all employees who have been employed by LBCC, regardless of whether or not Carruth was actively managing your 403(b) and 457(b) retirement savings plans,” LBCC said in a statement on its website.
The other community colleges and public-school districts were Chemeketa Community College, Greater Albany Public School District, Gladstone School District, Lincoln County School District, Klamath County School District, Southern Oregon Educational Services District, North Santiam School District, Jefferson School District, Junction City School District and Perrydale School System, all based in Oregon. North Wasco County School District is in Maine.
“This incident potentially impacts nearly all employees as well as retirees and former employees back to 2009,” said Klamath County School District in a notice on its website.
A spokeswoman for KCSD added that the school district is working with staff and former staff members to ensure they have the training they need to secure their identities and credit. Other affected educational institutions either did not respond to a request for comment or could not be reached.
The 12 public school districts and community colleges notified all victims of the breach on Feb. 28.
The schools are offering affected individuals complimentary credit-monitoring and identity-theft protection services through IDX, a data-breach and recovery-services firm. The services include 12 months of credit and dark web monitoring as well as a $1 million insurance reimbursement policy.
The hack is the latest in a string of cyber breaches that leaked the personal information of retirement savers at other institutions. On Feb. 20, Inspira Financial Trust – a provider of health, wealth and retirement services – notified more than 2,300 customers that their personal data was improperly accessed by a third-party call center representative. That followed a cyber breach at retirement plan administrator The Pension Specialists, an incident that affected more than 71,000 retirement savers.
