Personal data for 1,000 pensioners accessed from OC Sanitation District – Orange County Register

Birth dates and Social Security numbers for 1,000 Orange County Sanitation District retirees were accessed in a phishing scheme, the district confirmed Monday.

District retirees, former employees and board members were being notified of the data breach in the utility’s deferred compensation plan, which occurred in December after a file at NFP Corp. was accessed via a phishing email, said a district fact sheet.

NFP is the district’s $160,000-a-year financial consultant for its deferred compensation funds. District participants were advised Monday to add Equifax fraud watch, 800-685-1111, to their credit. The first year is free.

District officials said the deferred compensation plan is on a separate system than its sanitation operations, which cannot be accessed online and have several protections from computer hacking. The retirement fund breach is under investigation.

“OCSD is still gathering information and working with the parties involved to fully understand the situation and the data breach,” said district spokesperson Jennifer Cabral. “OCSD will continue to actively work with all plan participants to ensure they have the resources they need to monitor and protect their identity and credit.”

The FAQ sheet said it appeared that a subdivision of NFP, while upgrading its fund strategy, requested certain information from Voya Inc., the district’s plan record keeper. No personal identifying information was requested, but name, birth date and Social Security numbers were among the data sent by Voya around September 2017. The information sat in an NFP employee’s inbox until it was accessed in December 2018 by an unauthorized user via a phishing email, the district said.

“If proper protocols were followed, this would and should not have occurred,” said the district document.