Hackers Net $4.2M in Cyber Theft from Oklahoma Pension Fund
OKLAHOMA CITY — The FBI is investigating after computer hackers managed to steal about $4.2 million in funds from a pension system for retired Oklahoma Highway Patrol troopers and other state law enforcement officers, state officials said Friday.
A notice posted on the Oklahoma Law Enforcement Retirement System website said the agency notified the FBI and couldn’t comment further on details of the breach.
“However, we are certain the stolen funds will be recovered,” the post said. “Most importantly, no pension benefits to members or beneficiaries have been impacted or put at risk.”
Duane Michael, the executive director of pension system, told The Oklahoman newspaper that the theft happened Aug. 26 after an employee’s email account was hacked. He said the funds were being managed by an outside investment manager on behalf of the pension system and that the agency was able to recover about $477,000 of the stolen funds.
Michael did not respond Friday to several telephone messages from The Associated Press.
FBI spokeswoman Andrea Anderson said the agency has been advised of the incident, but she declined to comment further, saying it was an “ongoing matter.”
Donelle Harder, a spokeswoman for Republican Gov. Kevin Stitt, said the governor was notified of the breach this week and said the cyberattack underscores the importance of modernizing and consolidating the state’s information technology infrastructure.
“He was very frustrated,” Harder said Friday. “It’s valuable taxpayer dollars, and of course he wants to see every single penny get recovered.”
A similar theft from a Pennsylvania borough’s police pension fund in 2016 netted hackers about $100,000. In Iowa in 2017, pension payments were stolen from more than 100 public employee retirees after hackers used stolen identities to register for account access and then divert payments.
State pension and payroll systems are tempting targets for cyber thieves because they contain large sums of money and sometimes use outdated technology, said Chris Hinkley, the head of threat resistance unit at Dallas-based Armor Security.
Hinkley said using strong passwords, changing passwords often and requiring two-factor authentication for access to accounts are simple steps any company or agency can take to protect against cyberattacks.
“At the end of the day, the biggest vulnerability of any organization is going to be the people,” Hinkley said. “People aren’t as consistent as computers. They can make mistakes or get tricked.”