California Man Accused of Fleecing Boeing Retirement Plan

Situations like this emphasize the clear and present need for retirement plans to implement effective cybersecurity policies.

A federal grand jury has indicted an Orange County man on charges that he fraudulently obtained access to Boeing employees’ retirement accounts.

The grand jury heard sufficient evidence to charge Hao Vo, who is 30, for the theft of hundreds of thousands of dollars from Boeing employees’ accounts. Vo is charged with three counts of bank fraud and one count of aggravated identity theft.

According to the indictment, from January 2019 to June 2019, Vo obtained the personal identifying information of various Boeing employees, along with information about their retirement accounts. He then allegedly made fraudulent withdrawal requests for checks and electronic money transfers totaling hundreds of thousands of dollars, the indictment claims.

According to federal prosecutors, Vo knew that notifications and checks related to these fraudulent requests would be mailed out, and so he placed holds on the Boeing employees’ mail with the United States Postal Service. Once the mail was held, Vo allegedly intercepted the mail by presenting to a postal employee a fraudulent California driver’s license with a Boeing employee’s personal identifying information, and a fraudulent note purportedly written or signed by the Boeing employee authorizing Vo to pick up the employee’s mail.

The indictment states that Vo also cashed checks written to himself from the fraudulently opened bank account by using the Boeing employee’s forged signature, and endorsed the checks himself, according to the indictment. In total, Vo attempted to obtain approximately $783,328 from Boeing employees’ retirement accounts and actually obtained approximately $360,847, the indictment alleges.

It is important to note that an indictment contains allegations that a defendant has committed a crime. Every defendant is presumed innocent until and unless proven guilty beyond a reasonable doubt. Prosecutors say these charges carry a potential of many decades in prison, should Vo be found guilty.

Cases like these emphasize the clear and present need for retirement plans to implement effective cybersecurity policies. Generally speaking, should a breach or fraud occur having to do with plan data, a sponsor could be liable if the claimant establishes that it failed to follow a prudent process to safeguard the plan data, says Joan Neri, counsel in Drinker, Biddle & Reath’s ERISA practice. 

“Liability could develop, and the consequences could be severe,” she warns. “The sponsor would need to make the plan whole, to send notifications about the breach and fraud to participants, and to provide them with identity theft protection. There would be business interruption and reputational risk.”

Neri says sponsors need to be mindful about the sensitive data they manage on behalf of retirement plan participants—their dates of birth, Social Security numbers and account balances. Breaches could occur through phishing, malware or a stolen laptop, she notes.