Personal data for 1,000 pensioners accessed from OC Sanitation District

Birth dates and Social Security numbers for 1,000 Orange County Sanitation District retirees were accessed in a phishing scheme, the district confirmed Monday.

District retirees, former employees and board members were being notified of the data breach in the utility’s deferred compensation plan, which occurred in December after a file at NFP Corp. was accessed via a phishing email, said a district fact sheet.

NFP is the district’s $160,000-a-year financial consultant for its deferred compensation funds. District participants were advised Monday to add Equifax fraud watch, 800-685-1111, to their credit. The first year is free.

District officials said the deferred compensation plan is on a separate system than its sanitation operations, which cannot be accessed online and have several protections from computer hacking. The retirement fund breach is under investigation.

“OCSD is still gathering information and working with the parties involved to fully understand the situation and the data breach,” said district spokesperson Jennifer Cabral. “OCSD will continue to actively work with all plan participants  to ensure they have the resources they need to monitor and protect their identity and credit.”

The FAQ sheet said it appeared that a subdivision of NFP, while upgrading its fund strategy, requested certain information from Voya Inc., the district’s plan record keeper. No personal identifying information was requested, but name, birth date and Social Security numbers were among the data sent by Voya around September 2017. The information sat in an NFP employee’s inbox until it was accessed in December 2018 by an unauthorized user via a phishing email, the district said.

“If proper protocols were followed, this would and should not have occurred,” said the district document.

When the breach was discovered, NFP hired a security consultant that helped notify law enforcement and participants, which the district said could take months because of the size of the group.

The district said it was notified of the gaffe on Feb. 22.

NFP is making corrections on several fronts and Voya has implemented refresher training, updated protocols, and safeguards against the manner by which the inbox was accessed, according to the FAQ sheet.

The training includes a reminder that sensitive information needs to be redacted, saved to a secure server, and deleted from emails. NFP stated that its requests for data explicitly directed Voya to not provide any personal identifiable information.

“OCSD has determined that Voya utilizes Social Security numbers as participant numbers for the purpose of reporting to the IRS. OCSD has since requested that Voya change OCSD’s participants’ identification number from Social Security numbers to OCSD employee identification numbers as soon as possible,” the district said.