Real-world cybersecurity breaches from the past three years reveal why strong security is no longer optional in retirement administration.
Third-Party Administrators manage sensitive participant and financial data—making them prime targets for cyberattacks. These aren't hypothetical risks. Each summary below highlights key facts with a link to the original public report.
Impact: 2.4 million individuals affected
In April 2023, hackers accessed WebTPA's network and stole personal data, including names, Social Security numbers, and insurance details. The breach was discovered months later, and written notices were issued to affected clients in early 2024.
What This Means for Your Firm: Delayed breach detection is common. Continuous monitoring and rapid incident response protocols aren't luxuries—they're requirements.
Impact: 155,000+ affected
Between July and August 2024, this benefits administrator was breached, exposing sensitive data like SSNs, IDs, and account info. Notification delays drew regulatory criticism.
What This Means for Your Firm: How you communicate during a breach matters as much as your technical response. Delayed notifications damage client trust and invite regulatory scrutiny.
Impact: Over 1.2 million records stolen
The MOVEit file-transfer exploit hit PBI in May 2023, leaking retirement plan participant data across multiple pension and insurer clients.
What This Means for Your Firm: Your recordkeepers and software vendors are extensions of your security perimeter. Document your vendor security requirements and conduct annual vendor risk assessments.
Impact: 451,000 plan participants
A February 2024 breach in a third-party CRM system exposed retirement plan participant data, leading to class-action lawsuits.
What This Means for Your Firm: When your recordkeeper suffers a breach, Plan Sponsors look to you for answers. Establish clear incident coordination protocols with every vendor that touches participant data.
Impact: 71,000+ individuals
Detected in early 2024, this independent TPA breach involved SSNs and participant data accessed by hackers. Notifications went out later that year after a lengthy forensic review.
What This Means for Your Firm: Months-long forensic reviews signal inadequate monitoring. Deploy endpoint detection and response (EDR) tools that identify threats in hours, not months.
Impact: 48,400 participants
In late 2024, Carruth discovered unauthorized access to their network, compromising retirement data for multiple school districts and public agencies.
What This Means for Your Firm: Public-sector Plan Sponsors often have stricter security requirements. Know your state breach notification laws and ensure your controls exceed minimum standards.
Impact: 10,500 individuals
Phishing led to unauthorized access of employee email accounts containing participant data and IRA account numbers.
What This Means for Your Firm: One clicked phishing link can expose thousands of participant records. Implement mandatory security awareness training, MFA on all accounts, and email filtering.
Impact: 2,300+ clients
A third-party contractor misused data at Inspira Financial (formerly Millennium Trust), exposing sensitive retirement plan account details.
What This Means for Your Firm: Not all threats come from external hackers. Implement principle of least privilege access controls and regular access reviews—especially for contractors.
None of these firms expected to be breached. All paid significant costs in notification expenses, legal fees, and lost client trust.
Plan Sponsors are asking tougher questions. Auditors are scrutinizing IT controls more closely. The TPAs that thrive will be those that can demonstrate—not just claim—strong security practices.
Assess your vulnerabilities before your next audit or filing season.
Free IT & Cyber Assessment