A data breach has occurred at the San Francisco Employees’ Retirement System (SFERS), potentially exposing the personal details of 74,000 of its members to cyber-criminals. In a data breach notification filed yesterday, SFERS said that an unauthorized person had gained access to a database hosted in a test environment one of its vendors had set up on February 24 2020.
Upon learning of the breach on March 21, the server was promptly shut down by the vendor. Although SFERS confirmed that no social security numbers or bank account numbers were included in the data file, it admitted that sensitive information such as names, addresses, date of births, beneficiary details and website usernames and security questions and answers, could have been viewed or copied.
Commenting on the breach, Michael Borohovski, director of software engineering at Synopsys, said: “A breach like this is interesting, both because it leads to almost guaranteed identity theft (if the information actually was accessed and downloaded), since it’s a treasure trove of financial information, identifying information and security questions.”
He added: “The retired employees of San Francisco need to be extremely careful and verify, personally, through existing contact info they already had, that their beneficiaries actually sent an email, should the retirees receive one.”
It is likely that the decision to place this kind of data in a testing environment will come under the spotlight, as these “are much more prone to bugs and vulnerabilities than a production environment,” according to Borohovski.
Javvad Malik, security awareness advocate at KnowBe4, added: “Test environments are usually not secured or monitored to the same level as production environments, and it is never advisable to use real data in test cases. Rather, dummy data, or heavily redacted data, should be used so that even if it is leaked or breached, it does not impact any real customers.”
The pension industry has been increasingly targeted by cyber-criminals in recent years. Last month it was reported that The Pensions Regulator faced a 148% increase in cyber-attacks in 2019.