September 19, 2019 • RBS

Categories: Security News

On the Cyber Risk Analytics research team, we are always on the lookout for patterns that may link together seemingly unrelated breaches. In June of last year we reported on just such a pattern occurring on the Click2Gov payment processing system. Unfortunately the campaign targeting those vulnerable installations continued throughout the summer, with at least 48 cities and towns – and most likely more – victimized by the attackers.

This week we’re seeing what may be the beginnings of another campaign, this time targeting pension funds. It is still too early to call this a ‘pattern’ – but the contours of two recent events suggest there may be a connection.

On September 5th, the Oklahoma Law Enforcement Retirements System, known as OLERS, shared the news that hackers were able to divert approximately $4.2 million dollars out of the pension fund. Details on the event are scarce. What is known is that the theft itself took place on August 26th and was the result of attackers gaining access to an “employee’s email account.” Other information around the event is so vague that it’s not clear whether that email account belonged to an OLERS employee or an outside investment manager, when the compromise of the email account occurred, how attackers managed to use the access to move money, or whether any personal or sensitive information was exposed in the process.

Just 6 days after the OLERS announcement, news surfaced that the City of Austin Employee’s Retirement System, known as COAERS, had also been breached. COAERS disclosed that the unauthorized access occurred on August 6th and once again, it was an employee’s email account that was compromised. Unlike the OLERS event, no funds have been reported stolen. This time a breach notification obligation was triggered as personal information held in the email account may have been accessed. As yet, no evidence of abuse of the personal information has come to light.

So why might these be connected? Both attacks were aimed at public employee pension funds, both went after email account access, and both seemingly occurred within weeks of the other. Were these coordinated events? It’s difficult to know based on the facts reported so far, but there are enough similarities to catch our researcher’s eye and lead us to wonder if we’ll be seeing additional incidents from other public pension systems.

Our products
The Platform
Risk Based Intelligence
Learn more
Vulnerability Intelligence
Learn more
Cyber Risk Analytics
Threat Intelligence
Learn more
Risk Management
Learn more