Retirement Clearinghouse reports data breach

Retirement Clearinghouse, a 401(k) and IRA portability firm, is the latest business to report a data breach, earlier this month notifying more than 10,000 account holders that their Social Security numbers had been compromised.

In notices to various states, the firm disclosed that a phishing attempt earlier this year potentially exposed client data.

“On or about March 15, 2023, Retirement Clearinghouse identified potentially suspicious activity for one email account, and promptly took steps to confirm the security of the account,” the company wrote in its disclosure to the Maine attorney general’s office. “Retirement Clearinghouse began an investigation and, in the interim, notified a potentially affected organization on March 18, 2023.”

Retirement Clearinghouse sent letters May 12 to potentially affected account holders. The data breach was reported Tuesday by mutual fund trade publication Ignites.

A personal injury law firm also took note of the data breach notice last week.

In addition to Social Security numbers being compromised, IRA account numbers at Matrix Trust Co. were exposed.

“We are coordinating with Retirement Clearinghouse in their efforts to inform all impacted individuals of this situation and the services being offered to protect their data,” a spokesperson at Broadridge Financial Solutions, parent company of Matrix, said in an email. That firm was unaware of any unauthorized access to accounts as of today, he said.

In response to the breach, Retirement Clearinghouse is “evaluating additional safeguards to mitigate recurrence of this type of event,” it stated in the notice in Maine. It is also “providing access to credit monitoring services for twelve months, through Experian, to individuals whose information was potentially affected by this event, at no cost to these individuals.”

In an email, Retirement Clearinghouse CEO Spencer Williams declined to say when an employee’s email was phished, but he noted that the firm took several steps to protect accounts after it was discovered.

“RCH responded by shutting down the affected account, confiscating all equipment and engaging a third-party forensic firm to ensure that no further data was exposed. That finding was confirmed. RCH subsequently made filings with states, as required by law, and has taken additional actions to reduce future potential email phishing incidents,” Williams said. “At no point were RCH customer accounts exposed to the bad actor, nor were RCH customer assets at risk.”

Retirement Clearinghouse provides retirement account portability services and is part of the Portability Services Network, a group that provides automatic account portability for 401(k)s and other types of retirement plans. Plan record keepers that are part of that network include Vanguard, TIAA, Fidelity, Empower and Alight Solutions.

Data compromises are nothing new in the financial services industry, though they appear to be increasingly common in the retirement business. In 2021, for example, Transamerica disclosed with the California attorney general’s office that a change to one of its plan administration websites temporarily allowed other employers to access information in plans that were not their own. Alight Solutions has also faced lawsuits over compromised accounts.

However, record keepers tend to have safeguards in place, and some have made account-security guarantees to put participants and plan sponsors at ease.

Two years ago, the Department of Labor issued cybersecurity guidance for plan fiduciaries, service providers and account owners. That guidance includes tips for hiring service providers, best practices for cybersecurity for record keepers and security suggestions for plan participants.