Alight Solutions, Abbott Lab Sued for Cyber Breach

Litigation filed under the Employee Retirement Income Security Act (ERISA) tends to focus on the alleged fiduciary breaches of employers, but a new complaint in Illinois also names Alight Solutions in its role as a service provider.

The complaint, filed in the U.S. District Court for the Northern District of Illinois’ Eastern Division, names among various other defendants Abbott Laboratories, the company’s stock ownership plan, one individually named fiduciary, and Alight Solutions.

According to the plaintiffs, this case “arises from defendants’ reckless actions in allowing an unknown individual to prey on and steal hundreds of thousands of dollars from the retirement savings of the plaintiff, a retired former employee of Abbott Laboratories, which were held in Abbott Corporate Benefits Stock Retirement Plan.”

“Defendants failed to enforce a security question routine set up for security purposes on the defendants’ website, www.abbottbenefits.com, and instead simply provided a one-time code over the phone that was used to loot [plaintiff’s] account,” the complaint states. “Then, rather than communicating with [plaintiff] via email concerning changes to her account, as defendants knew [plaintiff] preferred, they mailed notices, allowing the theft to be consummated and $245,000 to be transferred out of the country via email to an Indian IP address before [plaintiff] could take any steps to halt the fraud.”

Details from the text of the complaint suggest the plaintiff did not share her account password with any individual other than her husband, who is the primary beneficiary of the account assets, which totaled more than $360,000 before the alleged security breach.

“On or about December 29, 2018, at 10:56 p.m. Central Time, an unknown user accessed [plaintiff’s] account via the internet, and chose the ‘forgot password’ option,” the complaint states. “The unknown user entered the last four digits of [plaintiff’s] Social Security number and her date of birth. These entries were challenged by the website. The unknown user elected to receive a one-time code via email, allegedly to [plaintiff’s] email account, rather than answer online security questions. [The plaintiff] has no record of ever receiving such an email.”

The one-time code was, according to the plaintiff, successfully entered and access to the account was granted. The unknown user changed the password and added to the account direct deposit information for a SunTrust bank account. 

“Two days later, on December 31, 2018, an unknown individual (the ‘Impersonator’) contacted the Abbott Benefits Service Center, claiming to be [plaintiff],” the complaint states. “The Impersonator called from the phone number … which did not belong to [plaintiff], had never been used by [plaintiff] and was not associated with [plaintiff’s] plan account. The Impersonator told the customer service representative that they had tried to process a distribution online, but were unsuccessful. Defendants’ customer service representative, in a gross dereliction of duty, asked the Impersonator if they still lived at [the plaintiff’s address], thereby providing personal information to the Impersonator.”

Eventually, the complaint states, upon the Impersonator’s request, defendants authorized $245,000 to be transferred from the plaintiff’s account to the SunTrust Bank account.

“On January 9, 2019, defendants sent a letter via first class U.S. mail to [plaintiff], advising her of the transfer of funds,” the complaint states. “Once again, they failed to communicate with [plaintiff] via her preferred email communication method about the withdrawal. She did not receive this letter until January 14, 2019. Had defendants communicated information to her via email, she would have been able to halt the transfer and would have stopped the transfer.”

The complaint goes on to specifically allege the defendants breached their fiduciary duties of loyalty and prudence “by causing, allowing or processing unauthorized distributions of [plaintiff’s] account assets; failing to confirm authorizations for distributions with [plaintiff] before making distributions; failing to provide timely notice of distributions to [plaintiff] by telephone or email; failing to identify and halt suspicious distribution requests, such as requests for multiple distributions to accounts in different banks; failing to establish distribution processes to safeguard the plan’s assets against unauthorized withdrawals; failing to monitor other fiduciaries’ distribution processes, protocols and activities; and related acts and omissions.”

The full text of the complaint is here.  

Abbott Laboratories has not yet responded to a request for comment about the litigation.

Alight Solutions shared the following statement: “While we can’t comment on any specific litigation, we take data security and protection of accounts seriously, and are committed to maintaining an aggressive approach to fraud prevention as threats evolve. We regularly communicate with our clients about our policies and practices and provide participants with a variety of resources to help guard against identity theft-related fraud. This can occur when individuals’ credentials are compromised from outside sources (often unsecure email) and independent from our systems. We continually evaluate and update our security protocols as the threat landscape evolves to ensure our measures meet or exceed industry standards. This includes multi-factor authentication, account alerts via multiple channels and specialized teams available to immediately assist customers who receive alerts for changes they did not authorize.”