SAN FRANCISCO—The San Francisco Employees’ Retirement System (SFERS) announced on Monday, June 1, that a security breach of the data in one of its partner systems, 10up Inc., took place on February 24.
According to its website, SFERS serves almost 71,000 active and retired workers in the City and County of San Francisco, as well as their survivors. It was established in the early 1920s in order to protect the financial security of San Franciscans through pension trust investments and benefits packages.
10up is a web consultancy firm that provides assistance and tools to help content creators build their digital platforms. For SFERS, 10up helped in implementing basic membership management features, along with polishing the organization’s web presence.
SFERS commissioned 10up to create a system that would allow users to access their account details online. To do this, 10up created a structure that contained a database with about 74,000 SFERS members’ basic information—but nothing related to payment details (no Social Security Numbers and no Bank Account Numbers). The database had been set up since August 29, 2018.
According to an SFERS report from March 21, 2020, 10up learned that, on February 24, an outside party had accessed a testing version of the database with three-year-old information of the 74,000 accounts. 10up has been conducting an investigation into the breach since it was discovered. SFERS also launched an investigation when 10up notified it about the breach on March 26.
As a result of the breach, 10up locked the server database and SFERS required users to reset their passwords.
So far, 10up can only confirm that an external party had the ability to access the information. The company emphasizes that there is no evidence that any data was actually accessed or taken.
“While an imperfect metaphor…think of this more like, ‘We found out that someone who shouldn’t have was able to steal a copy of the apartment building’s key last week – we’ve fixed that and made it virtually impossible to happen again, and nothing in your unit appears to be misplaced or out of order – but we thought you deserved to know.’ I’m not trying to minimize that this might justly be concerning – but it is considerably different than leaving the impression of evidence that something was stolen,” explained Jake Goldman, president and founder of 10up.
The SFERS report states that depending on the registration status of an SFERS member, the following information could have been accessed: full name, full home address, date of birth, information for the IRS (excluding one’s Social Security Number), a bank routing number, and SFERS website account username and security questions and answers (but no passwords).
According to Goldman, the sort of information in the breached database is not the sort that could be easily used to steal someone’s identity. As a safety precaution, SFERS is providing all of its members with free one-year membership of Experian’s IdentityWorks identity theft protection.
Goldman noted that 10up has “taken a number of steps to strengthen our internal auditing protocols to prevent a recurrence.”