TPA Breach Insights
Third-Party Administrators (TPAs) manage sensitive participant and financial data—making them prime targets for cyberattacks. These aren’t hypothetical risks. These recent breaches from the past three years reveal why strong cybersecurity, vendor oversight, and data governance are no longer optional in the retirement and benefits administration industry.
Each summary below highlights key facts with a link to the original public report for further reading.
WebTPA Employer Services (2023)
Impact: 2.4 million individuals affected
Details: In April 2023, hackers accessed WebTPA’s network and stole personal data, including names, Social Security numbers, and insurance details. The breach was discovered months later, and written notices were issued to affected clients in early 2024. Lawsuits soon followed.
Takeaway: Even established TPAs face exposure from delayed detection and complex data ecosystems.
What This Means for Your Firm: Delayed breach detection is common. Continuous monitoring and rapid incident response protocols aren’t luxuries—they’re requirements. Plan Sponsors will ask how quickly you can detect and contain threats.
Alera Group (2024)
Impact: 155,000+ affected
Details: Between July and August 2024, this benefits administrator was breached, exposing sensitive data like SSNs, IDs, and account info. Notification delays drew regulatory criticism.
Takeaway: Prompt disclosure and communication are critical during breach response.
What This Means for Your Firm: How you communicate during a breach matters as much as your technical response. Delayed notifications damage client trust and invite regulatory scrutiny—have your communication plan ready before you need it.
Pension Benefit Information (PBI) – MOVEit Breach (2023)
Impact: Over 1.2 million records stolen
Details: The MOVEit file-transfer exploit hit PBI in May 2023, leaking retirement plan participant data across multiple pension and insurer clients.
Takeaway: Even trusted third-party vendors introduce cybersecurity risk; monitoring vendor platforms is vital.
What This Means for Your Firm: Your recordkeepers and software vendors are extensions of your security perimeter. Document your vendor security requirements and conduct annual vendor risk assessments—Plan Sponsors will ask for them.
J.P. Morgan Retirement Plan Recordkeeping (2024)
Impact: 451,000 plan participants
Details: A February 2024 breach in a third-party CRM system exposed retirement plan participant data, leading to class-action lawsuits.
Takeaway: Large recordkeepers aren’t immune — vendor breaches can cascade through an entire plan network.
What This Means for Your Firm: When your recordkeeper suffers a breach, Plan Sponsors look to you for answers. Establish clear incident coordination protocols with every vendor that touches participant data.
The Pension Specialists, Ltd. (2024)
Impact: 71,000+ individuals
Details: Detected in early 2024, this independent TPA breach involved SSNs and participant data accessed by hackers. Notifications went out later that year after a lengthy forensic review.
Takeaway: TPAs need rapid incident response and proactive detection systems.
What This Means for Your Firm: Months-long forensic reviews signal inadequate monitoring. Deploy endpoint detection and response (EDR) tools that identify threats in hours, not months—before participant data is exfiltrated.
Carruth Compliance Consulting (403(b)/457 Plans – 2024)
Impact: 48,400 participants
Details: In late 2024, Carruth discovered unauthorized access to their network, compromising retirement data for multiple school districts and public agencies.
Takeaway: TPAs serving public-sector clients must treat participant data as critical infrastructure.
What This Means for Your Firm: Public-sector Plan Sponsors often have stricter security and disclosure requirements than private employers. Know your state breach notification laws and ensure your controls exceed minimum standards.
Retirement Clearinghouse (2023)
Impact: 10,500 individuals
Details: Phishing led to unauthorized access of employee email accounts containing participant data and IRA account numbers.
Takeaway: Phishing is still one of the most common — and preventable — TPA security failures.
What This Means for Your Firm: One clicked phishing link can expose thousands of participant records. Implement mandatory security awareness training, MFA on all accounts, and email filtering that blocks credential harvesting attempts.
Inspira / Millennium Trust (2024–2025)
Impact: 2,300+ clients
Details: A third-party contractor misused data at Inspira Financial (formerly Millennium Trust), exposing sensitive retirement plan account details.
Takeaway: Insider misuse and vendor oversight must be core parts of your cybersecurity program.
What This Means for Your Firm: Not all threats come from external hackers. Implement principle of least privilege access controls, audit logs for all sensitive data access, and regular access reviews—especially for contractors and temporary staff.
These breaches share common themes: delayed detection, inadequate vendor oversight, and missing access controls. None of these firms expected to be breached. All paid significant costs in notification expenses, legal fees, and lost client trust.
Your firm’s cybersecurity posture is now a competitive differentiator. Plan Sponsors are asking tougher questions. Auditors are scrutinizing IT controls more closely. The TPAs that thrive will be those that can demonstrate—not just claim—strong security practices.
Don’t wait for a breach to prioritize security.