Experts explain the top tips for protecting clients’ retirement accounts and Social Security benefits
For clients, the latest Social Security data hack could be unsettling, especially for those in retirement or nearing it. Retirement plan advisors have an opportunity here to mitigate concerns while preparing clients for future scenarios.
It all started when billions of Social Security numbers were leaked after cybercriminal group USDoD stole the sensitive records from National Public Data, a background-check data company based in Coral Springs, Florida. NPD says hackers had previously attempted to steal the data in December 2023 and succeeded with “potential leaks of certain data in April 2024 and summer 2024,” that included names, email addresses, phone numbers, Social Security numbers, and mailing addresses from residents in the U.S, UK, and Canada.
The hacking group has since attempted to sell the personal data records on the dark web for $3.5 million and has claimed it stole data from each individual across the three countries.
While USDoD has attempted to sell the data, other threat actors have since released limited copies of the records for free, with each version sharing different data points including Social Security numbers and mailing addresses.
As a result of the leak, Jerico Pictures Inc., who does business as National Public Data, has faced at least seven class-action lawsuits, each accusing the company of negligence and breaches of fiduciary duty, among other allegations.
One lawsuit, filed on August 1 by California plaintiff Christopher Hofmann, accused the company of negligence, unjust enrichment, and breaches of fiduciary duty, among other allegations. It also accused National Public Data of obtaining personal data in an unjust and nonconsensual manner. To conduct its business, NPD scrapes personally identifying information (PII) of individuals from non-public sources, meaning that plaintiffs never willingly gave the company their information.
The lawsuit seeks monetary relief and an order mandating NPD take actionable steps to prevent future breaches.
Cyberthreats to retirement plans have gained increasing momentum over the past years. In 2023, a vulnerability involving a third-party file-transfer software called MOVEit led to a data breach impacting millions of individuals with accounts in leading financial services corporations, including Prudential, Charles Schwab, TIAA, and New York Life, along with hundreds of thousands of retirees enrolled in the California Public Employees’ Retirement System (CalPERS).
401(k) Specialist spoke with experts on how advisors can mitigate worries from retirement plan participants, while also preparing them for possible future hacks.
Credit Freeze and Fraud Alerts
Participants impacted by breach are first recommended to add a credit freeze, fraud alert, or both to monitor their credit report.
According to the Social Security Administration (SSA), affected consumers should notify one of the following three major credit bureaus:
Equifax at 1-800-525-6285
Experian at 1-888-397-3742
TransUnion at 1-800-680-7289
Once notified, the company will call the other credit bureaus to inform them about the freeze or alert.
Clients will also need to provide their Social Security number and address to the credit bureaus. Once reported, they will receive a PIN, in which they can then use to lift of remove the freeze as needed.
While both effective, credit freezes are generally seen as more powerful because they restrict access to credit reports, therefore making it difficult for hackers to open accounts or credit lines in a client’s name, explains Chip Lupo, a writer and analyst for personal finance company WalletHub. Fraud alerts, on the other hand, warn creditors to take extra steps in verifying their identity, but it doesn’t necessarily deny access to threat actions, Lupo adds.
“A credit freeze is more effective than a fraud alert because it entirely locks down your credit report, which will prevent most third parties from accessing your credit report without your explicit permission,” he said. “This means that even if a fraudster has your personal information, they cannot open new accounts in your name.”
Still, impacted consumers are still recommended to add a fraud alert in the event of a breach, just for added safety. This signals to potential creditors that additional verification is required before extending credit, which could reduce the risk of identity theft, Lupo explains. Clients can choose between an initial fraud alert, which lasts 90 days and can be renewed, or an extended alert that lasts seven years.
“To protect your retirement, it’s essential to take preventive measures such as fraud alerts or credit freezes, which add layers of security to your financial information and reduce the risk of unauthorized access,” he said.
While effective, credit freezes and fraud alerts should only be the first out of several protective measures clients need to take when concerned over identity theft and fraud, says Cliff Steinhauer, director of information security and engagement at The National Cybersecurity Alliance, a nonprofit organization dedicated to cyber defense.
“[Credit freezes] don’t stop someone from using your existing accounts or from committing tax fraud or medical identity theft,” he added. “While credit freezes are a strong first line of defense, they should be part of a broader strategy that includes regular monitoring of your accounts and credit reports.”
Investing in premium identity protection services, like around-the-clock credit monitoring services that notify individuals of suspected activity, could provide an additional layer of security. These services also tend to offer identity restoration and insurance, so that individuals have the support to mitigate damage and recover quickly after a breach, adds Lupo.
“Premium identity protection offers robust security measures that can help safeguard your personal information in today’s increasingly digital world,” he states. “While there are free alternatives, premium services offer comprehensive protection that can be well worth the investment for peace of mind.”
Stay Alert
Adding extra support by incorporating multi-factor authentication, a sign-in process that requires a passcode plus additional information, could also strengthen threat prevention across all financial accounts, notes Steinhauer.
Furthermore, reviewing these accounts, financial statements and even Social Security benefits could aid in prevention, along with regularly updating antivirus software and using firewalls.
“To continue protecting themselves in the case of future data hacks, individuals should regularly monitor their financial accounts, including retirement, bank, and credit card statements, for any unauthorized transactions. It is crucial to use strong, unique passwords for all financial accounts and enable two-factor authentication to add an extra layer of security, “he said.
It’s up to clients to implement their first, and best, line of defense—to regularly monitor their savings and accounts, Steinhauer adds. “Timely action can mitigate the potential impact on retirement savings and overall financial health,” he said. “[Client should] always have a plan in place for responding to potential breaches, including knowing who to contact and what steps to take immediately.”