A lawsuit filed recently in the U.S. District Court for the Northern District of Georgia underscores the emerging set of cybersecurity risks facing the U.S. financial services and retirement planning industry.
The lead plaintiff in the case says Horizon Actuarial Services LLC, a provider of actuarial and administrative services to retirement plans and other client types, failed to properly secure and safeguard sensitive personally identifiable information provided by and belonging to its customers. The types of data allegedly breached include names, dates of birth, health plan information and Social Security numbers.
According to the text of the lawsuit, and as detailed on Horizon Actuarial’s website, on or around November 12, 2021, the firm received an email from a group claiming to have stolen data from its computer servers on the two preceding days. Horizon, after conducting an internal investigation, paid the group in exchange for an “agreement that they would delete and not distribute or otherwise misuse stolen information.” As Horizon’s incident report spells out, the group provided a list of information they claimed to have stolen from Horizon’s servers, and on or about January 9, 2022, Horizon determined the information contained the sensitive information of individuals and prepared a preliminary list of individuals affected by the data breach.
“Defendant determined that the unauthorized actor accessed and exfiltrated the PII of more than 2,537,261 current and former Horizon customers, including that of plaintiff and class members,” the lawsuit states. “Despite learning of the Data Breach in November 2021, Horizon waited to begin informing class members until roughly January 13, 2022. Plaintiff did not receive his Notice of Data Incident from Horizon until April 14, 2022—more than five months after the data breach occurred.”
During this time, the lawsuit contends, the plaintiff and class members were unaware that their sensitive personal identifying information had been compromised. It states that, by “obtaining, collecting, using and deriving a benefit” from the proposed class of plaintiffs’ PII, Horizon “assumed legal and equitable duties to these individuals.” The lawsuit further claims that Horizon “admits that the unencrypted PII accessed and exfiltrated includes highly sensitive information, such as names, dates of birth, health plan information and Social Security numbers.”
“The exposed PII of defendant’s customers can be sold on the dark web and is in the hands of the group of criminals,” the complaint states. “Plaintiff and class members have no ability to protect themselves, as these criminals can easily access and/or offer for sale the unencrypted, unredacted PII to other criminals. Defendant’s customers face a lifetime risk of identity theft, which is heightened by the loss of their Social Security numbers.”
The lawsuit argues the PII in question was “compromised due to defendant’s negligent and/or careless acts and omissions and the failure to protect PII of defendant’s customers.” It argues the data was compromised as a result of the defendant’s failure to adequately protect the PII of the defendant’s customers and effectively secure hardware containing protected PII using reasonable and effective security procedures free of vulnerabilities.
“Defendant’s conduct amounts to negligence and violates federal and state statutes,” the lawsuit argues. “Plaintiff and class members have suffered numerous actual and imminent injuries as a direct result of the data breach, including theft of their PII; costs associated with the detection and prevention of identity theft; costs associated with time spent and the loss of productivity from taking time to address and attempt to ameliorate, mitigate, and deal with the consequences of the data Breach; invasion of privacy; the emotional distress, stress, nuisance and annoyance of responding to, and resulting from, the data breach; the actual and/or imminent injury arising from actual and/or potential fraud and identity theft posed by their personal data being placed in the hands of the ill-intentioned hackers and/or criminals; damages to and diminution in value of their personal data entrusted to defendant with the mutual understanding that defendant would safeguard their PII against theft and not allow access to and misuse of their personal data by others; and the continued risk to their PII, which remains in the possession of defendant.”
On the company’s website, Horizon Actuarial contends that it “takes this incident and the security of information in our care very seriously.”
“We are reviewing our existing security policies and have implemented additional measures to further protect against similar incidents moving forward,” the firm says.
According to the Investment Company Institute, U.S. retirement plans held $37.4 trillion of investor assets at the end of 2021’s third quarter. Experts say that ocean of money—combined with the accounts’ valuable personal data and the multiple ways of accessing accounts remotely—makes retirement plans a natural target for thieves.
“As retirement plan advisers, we see phishing schemes, ransomware, social engineering attacks, email compromise and wire fraud,” warns David Graver, vice president of Fort Pitt Capital Group in Pittsburgh. “The last one really sticks out when specifically focusing on retirement accounts. Often, emails will be compromised, or online accounts hacked, and unauthorized loans or withdrawals will be requested from the account.”
Simply put, advisers, service providers and employers offering benefit plans must all be wary of cybersecurity risks and do their utmost to ensure they do not become victims of increasingly sophisticated and well-equipped cyberthieves.The text of the complaint is available here.