How Cyber-Thieves Stole From Iowa Pension Accounts
By Theo Douglas, Government Technology
The online theft of money from Iowa Public Employees' Retirement System (IPERS) member accounts discovered on Halloween was not the result of a hack, an agency official said, but sparked an FBI investigation and changes to security practices.
The incident at the state pension fund that began in mid-October came to light on Tuesday, Oct. 31, when IPERS received a telephone call indicating one of its more than 350,000 members had not received a check.
The agency, which counts more than 115,000 retirees among its members, ran system queries and discovered 103 retiree accounts had been "compromised," according to Judy Akre, IPERS director of communications.
The amount thieves took electronically amounted to several hundred thousand dollars, Akre said, but by reaching out to banks and financial institutions involved, a portion of that money was able to be "reverted" to its previous destinations. IPERS had assets of about $30.7 billion as of June 30.
The theft appears to have happened when thieves gained access to Social Security numbers and dates of birth for members and were able to leverage this information to register for IPERS online account access, then alter existing direct deposit information, Akre explained.
"It would be as if someone jumped onto your employer's system and posed as you and logged in as you and updated your personal information. They had the information they needed to establish a user name and password and get their online access. But we'll be doing a lot of changes right now to strengthen that accessibility," the director of communications said.
It's unclear how the criminals obtained the member information, though Akre said they did not get the Social Security numbers from IPERS.
When IPERS learned of the incident, it immediately disabled online account access and made telephone calls to alert members who had been affected.
Online account access was restored on Wednesday, Nov. 2 with exceptions: direct deposit information cannot be changed online; online member access remains unavailable for the 103 retired members whose payments were redirected; and the 103 fraudulent accounts detected have been disabled.
IPERS has reissued the payments affected to their "original financial institutions," Akre said, and members should receive their money on or before Monday, Nov. 7.
With an investigation ongoing, the communications director said it's too early for IPERS to offer advice to other state pension funds.
"I guess the best advice would be more directed to everyone, the general public, as far as online access and being very vigilant. Check your online account very frequently and change passwords," Akre said.
State Treasurer Michael Fitzgerald, a member of the IPERS' Investment Board, told the Des Moines Register that he credits IPERS for catching the incident but called it "a very serious concern."
"But this has to be stopped or this great system that we have will just have to be changed," Fitzgerald told the Register's William Petroski.
Mitch Mortvedt, assistant director at the Iowa Division of Criminal Investigation in the state Department of Public Safety (DPS), confirmed via email that IPERS contacted his agency, but said he referred it to the FBI and DPS has "no involvement" in the investigation.
Huston Pullen, public affairs officer for the FBI in Omaha, Neb., said via email that the agency is "aware of the situation" and in communication with local authorities, but declined further comment.