A Data Breach of San Francisco's Pension System May Have Exposed Personal Financial Information of 74,000 Members
The city of San Francisco hasn't had the best few months when it comes to cybersecurity. First, in March, cybercriminals hacked a couple of San Francisco International Airport's websites, and now, the San Francisco Employees' Retirement System (SFERS) announced that some of its members' data may have been compromised.
Table of Contents
What happened?
According to a data breach notification published last week, the incident affects around 74 thousand people. For active SFERS members, the exposed details include names, home addresses, dates of birth, as well as the personal data of designated beneficiaries. The hackers may have also had access to some IRS forms and bank routing numbers of retired SFERS members and continuants, and the notice said that usernames and security questions and answers for the agency's website may have been compromised as well.
The exposed data doesn't include any Social Security Numbers, bank account numbers, or credit card details, but even so, the risk of identity theft is very real for the affected individuals, which is why they are offered a year's worth of identity theft protection for free. Out of an abundance of caution, SFERS has also forced a password reset for affected accounts.
Who was responsible?
Along with the data breach notification, SFERS also published an FAQ page. There is a "How did this happen?" question, but unfortunately, it doesn't give us any technical details on what went wrong. It does say, however, that 10up Inc, a contractor hired to develop and maintain SFERS' online service, is responsible for the breach.
Apparently, some time ago, 10up set up a test server in order to try out new features and improve the service. Instead of using dummy data for the purpose of testing, however, the vendor uploaded an August 2018 snapshot of SFERS' database that was full of people's personal information.
"An outside party" gained unauthorized access to the server on February 24, but 10up didn't learn about the breach until March 21. Five days later, the vendor informed SFERS about it, and now, the agency is letting everyone know.
According to the notification, the reason for the delayed disclosure is the investigation, which started immediately after the incident was uncovered. After the said investigation, SFERS and 10up can't say definitively whether the hackers downloaded the database while they had access to it.
Was it avoidable?
The official announcements don't give us a precise idea of what went wrong and why, and SFERS seems determined not to give away any technical information at this point. Because of this, it's difficult to gauge how bad the mistake was and how easily it could have been avoided.
It must be said that for the people who have had their personal details exposed, this doesn't really make much of a difference. What they need to focus on is being a bit more careful and watching out for signs of identity theft.
