I came across this story while researching to write the Pension Watch column in a way it will benefit readers of these pages, “The FBI is investigating how cyber hackers stole more than $4 million from Oklahoma law enforcement’s retirement fund, according to an announcement posted Friday to the system’s website.”
Note the following facts: the hacking was in the United States of America, a country that boasts of being a leader in the ICT technology. A more significant irony is that, the pension money stolen belongs to the Oklahoma Law Enforcement Retirement Fund.
“Oklahoma Law Enforcement Retirement System was recently a victim of a cyber-crime where $4.2 million was stolen,” the announcement posted to the OLERS web site says.
The story says further, “We notified the FBI who is conducting an active investigation of the crime. Because of the ongoing investigation, we cannot comment further on the details.”
The Oklahoma pension fund hacking is not the first in the United States of America. The Iowa Public Employees’ Retirement System (IPERS) Accounts were compromised and thousands of Dollars stolen from 103 retiree accounts in 2017. IPERS holds pension assets in excess of $30 billion as at June 2017.
The reports says that the theft “appears to have happened when thieves gained access to Social Security numbers and dates of birth for members and were able to leverage this information to register for IPERS online account access, then alter existing direct deposit information.”
The amounts stolen from the Oklahoma retirement fund and IPERS are tiny relative to the $19.4 billion stolen by cyber hackers in the United States in 2017, affecting 143 million Americans. MIT Technology Review quoted Norton Security saying that $172 billion was stolen by cyber hackers in the same year, affecting 978 million people in 20 countries around the world.
In May 2015, the Japanese Pension System was hacked, over a million personal data stolen and leaked, although no money was pilfered by the unknown and untraceable hackers, it was embarrassing for a country driven by technology.
The examples of hacking pension funds data from countries with strong ICT capabilities should serve as a warning to our own pension management institutions, principally the National Pension Commission and the Pension Transitional Arrangement Directorate to be constantly on the alert against heartless cyber hackers, who might be lurking somewhere. No country or institution that uses the Internet or cyber space is absolutely immune from hackers.
Given the reality of no absolute immunity, no cyber security measures should be seen as excessive in guarding against hackers. The former Director General of the National Information Technology Development Agency (NITDA) and now Minister of Communications, Dr. Ibrahim Isa Pantami, put it aptly in a June 2019 speech, “Nigeria loses about N127 billion to cybercrimes yearly. This is caused in part by our inability to adequately secure our Information Systems (IS) . Therefore, securing our IS is a must.”
Indeed, both the National Pension Commission and the Pension Transitional Arrangement Directorate should sustainably and continously be ahead of the criminals by updating their cyber security systems. Similarly constant vigilance is essential for all financial institutions in this country.
Accountancy Daily, a UK publication, quoted guidelines issued by the Pensions Research Accountants Group (PRAG) in which various types of cyber security breaches were mentioned, “Attacks come in many different guises, including data and firewall breaches, malware, ransomware and virus attacks, as well as more traditional crime such as theft of hard drives and data files.”
Accountancy Daily reported that, “The Pensions Research Accountants Group (PRAG) is warning that pension funds are at high risk of attack from cyber criminals as they have access to extensive personal identity data including addresses, financial records and banking details, which can be sold, or used to compromise or steal from other victims.”
Like other entities, PenCom and PTAD should heed the PRAG advisory.
