Real-world cybersecurity breaches from the past three years reveal why strong security is no longer optional in retirement administration.
Third-Party Administrators manage sensitive participant and financial data—making them prime targets for cyberattacks. These aren't hypothetical risks. Each summary below highlights key facts with a link to the original public report.
Impact: 2.4 million individuals affected
In April 2023, hackers accessed WebTPA's network and stole personal data, including names, Social Security numbers, and insurance details. The breach was discovered months later, and written notices were issued to affected clients in early 2024.
What This Means for Your Firm: Delayed breach detection is common. Continuous monitoring and rapid incident response protocols aren't luxuries—they're requirements.
Impact: 155,000+ affected
Between July and August 2024, this benefits administrator was breached, exposing sensitive data like SSNs, IDs, and account info. Notification delays drew regulatory criticism.
What This Means for Your Firm: How you communicate during a breach matters as much as your technical response. Delayed notifications damage client trust and invite regulatory scrutiny.
Impact: Over 1.2 million records stolen
The MOVEit file-transfer exploit hit PBI in May 2023, leaking retirement plan participant data across multiple pension and insurer clients.
What This Means for Your Firm: Your recordkeepers and software vendors are extensions of your security perimeter. Document your vendor security requirements and conduct annual vendor risk assessments.
Impact: 451,000 plan participants
A February 2024 breach in a third-party CRM system exposed retirement plan participant data, leading to class-action lawsuits.
What This Means for Your Firm: When your recordkeeper suffers a breach, Plan Sponsors look to you for answers. Establish clear incident coordination protocols with every vendor that touches participant data.
Impact: 71,000+ individuals
Detected in early 2024, this independent TPA breach involved SSNs and participant data accessed by hackers. Notifications went out later that year after a lengthy forensic review.
What This Means for Your Firm: Months-long forensic reviews signal inadequate monitoring. Deploy endpoint detection and response (EDR) tools that identify threats in hours, not months.
Impact: 48,400 participants
In late 2024, Carruth discovered unauthorized access to their network, compromising retirement data for multiple school districts and public agencies.
What This Means for Your Firm: Public-sector Plan Sponsors often have stricter security requirements. Know your state breach notification laws and ensure your controls exceed minimum standards.
Impact: 10,500 individuals
Phishing led to unauthorized access of employee email accounts containing participant data and IRA account numbers.
What This Means for Your Firm: One clicked phishing link can expose thousands of participant records. Implement mandatory security awareness training, MFA on all accounts, and email filtering.
Impact: 2,300+ clients
A third-party contractor misused data at Inspira Financial (formerly Millennium Trust), exposing sensitive retirement plan account details.
What This Means for Your Firm: Not all threats come from external hackers. Implement principle of least privilege access controls and regular access reviews—especially for contractors.
Impact: 800+ employer plans, undisclosed participant count
In August 2024, Northwest Retirement Plan Consultants discovered unauthorized access to their network. The breach triggered class action investigations from multiple law firms. In early 2026, NWRPC agreed to settle the resulting litigation for $1.2 million—covering credit monitoring services, out-of-pocket losses, and identity theft protection for affected participants.
What This Means for Your Firm: Breach costs extend far beyond remediation. Legal fees, class action settlements, and regulatory penalties can threaten a TPA's viability. Proactive TPA IT security is cheaper than reactive crisis management.
Impact: 1,300 retirement plan participants
In May 2025, Transamerica disclosed a social engineering attack where threat actors impersonated participants to gain account access. The breach exposed account balances, personal details, and in some cases allowed unauthorized distributions from retirement accounts.
What This Means for Your Firm: Technical controls alone are not enough. Social engineering targets the human layer. Implement identity verification procedures for all account transactions and train staff to recognize impersonation attempts.
On January 15, 2026, the Department of Labor elevated cybersecurity to a formal National Enforcement Project under EBSA—placing it alongside mental health parity as one of the agency's highest investigation priorities. This follows the September 2024 guidance update that expanded cybersecurity requirements to all ERISA-covered plans and all service providers, not just recordkeepers. EBSA's FY 2025 enforcement yielded $1.4 billion in recoveries across 878 civil investigations. TPAs without documented cybersecurity programs now face direct regulatory exposure.
Learn how TPAIT helps TPAs meet DOL cybersecurity requirements →
None of these firms expected to be breached. All paid significant costs in notification expenses, legal fees, and lost client trust.
Plan Sponsors are asking tougher questions. Auditors are scrutinizing IT controls more closely. The TPAs that thrive will be those that can demonstrate—not just claim—strong security practices.
Assess your vulnerabilities before your next audit or filing season.
Free IT & Cyber Assessment