The pension system’s vendor, 10up Inc., said an outside party accessed a test data server with members’ information on Feb. 24. The server was closed and 10up Inc. said there was no evidence information was removed, but could not confirm whether the data was viewed or copied.
The data, which was last updated in Aug. 29, 2018, may have included first names, home addresses, dates of birth, designated beneficiary information, and SFERS website user names and passwords, the fund revealed Tuesday. Retired pension members may have had 1099-R tax form information and bank routing numbers exposed.
“Your personal financial information may be misused,” the pension fund said.
Social Security numbers and bank routing numbers were not included, SFERS said.
An investigation is ongoing and all members are required to reset their passwords.
“The San Francisco Employee’s Retirement System breach is a good reminder that even applications on test systems need to be secured against threats, whether they are internal — bad actors in the organization and its partners — or external, coming from hackers trying to exploit vulnerabilities,” Jayant Shukla, co-founder of K2 Cyber Security in San Jose, said in a statement. “Vulnerabilities, misconfigured servers, and misused credentials are among the top reasons systems get breached.”
The breach occurred shortly before another city agency, the San Francisco International Airport, reported hacks of SFOConstruction.com and SFOConnect.com, two websites used by suppliers, in March. The airport said login information may have been taken.
©2020 the San Francisco Chronicle. Distributed by Tribune Content Agency, LLC.