In May 2023, Retirement Clearinghouse LLC (“RCH”) announced a phishing attack that may have exposed individual retirement account holders’ names, social security numbers and account IDS. RCH, a company which provides autoportability of retirement accounts for participants who may wish or need to transfer their balances to other plans. The circumstances surrounding the phishing attack are all too common: an employee fell victim to a spoof email which allowed a cyber criminal with access to the employee’s email account which contained an email from a third-party administrator that included an unencrypted attachment containing sensitive personal information.
Many believe that similar incidents and/or targeting of autoportability transactions or the anticipated Retirement Savings Lost and Found database may be on the horizon. While Plan sponsors face a risk of potential costly and protracted litigation, plan participants face the risk of losing retirement savings that may not be recovered in full. Therefore, plan sponsors (and their personnel) are reminded to remain vigilant and adopt best practices when it comes to safeguarding retirement savings funds. Plan participants should also regularly monitor their retirement savings accounts and ensure that they are taking steps to guard against potential identify theft.