A former employee of the New York based cosmetics giant Estée Lauder is suing the company and a third party benefits firm alleging they breached their fiduciary duty to secure her 401k retirement account after $99,000 was fraudulently distributed from the account without her knowledge.
The case, Naomi Berman vs. Estée Lauder et. al, comes amid increasing concern about cyber fraud targeting the $5.7 trillion 401k industry, in which more than 100 million Americans participate.
The case hinges on a series of three 401k distributions from Ms. Berman’s Estée Lauder 401k plan in September and October of 2016. Those distributions, for $37,000, $52,000 and $12,000, were sent by Lauder’s plan administrator, Alight Solutions LLC, to three, separate bank accounts. Berman only learned of the distributions after receiving mailed 401k statements from the administrator. Subsequent efforts by Berman to get Alight, which ran the plan’s web portal, and Estée Lauder to investigate the transfers and restore the stolen funds were fruitless.
Gone in 30 Days: $99k in Savings
In the suit, Berman alleges that Alight and Lauder “breached their fiduciary duties of loyalty and prudence.” In addition to the unauthorized distributions, the case cites Alight and Estée Lauder’s failure to “confirm authorization for distributions with the plan participant before making distributions.”
The case cites security lapses by Alight and Lauder. Among them: the failure to provide “timely notice of distributions;” to “identify and halt suspicious distribution requests, such as requests for multiple distributions to accounts in different banks”; and “failing to establish distribution processes to safeguard Lauder Plan assets against unauthorized withdrawals,” according to a copy of the complaint obtained by The Security Ledger. The case was filed in October in U.S. District Court for the Northern District of California.
Questions on ‘How’
The suit does not mention the exact mechanism by which the fraudulent transfers happened. It is unclear whether the criminals responsible for it were relatives of the plan holder, insiders at the firm managing the 401k, cyber criminals acting from afar – or none of the above.
Alden Bianchi, the Chair of the Employee Benefits & Executive Compensation Practice at the Boston firm Mintz Levin, said that in his experience most 401k distribution fraud is carried out by trusted insiders like spouses or blood relatives. “Inheritance is rife with this stuff,” he told The Security Ledger. “‘So and so’s sister in law and brother in law’ are good with computers – that kind of thing.” Fraudulent distributions often take place in the context of a divorce, he said. “You’ve got a disgruntled ex partner and they want access to those funds, but they have trouble getting it legally. ”
Still, cyber crimes by strangers are enough of a phenomenon that they are getting the attention of what Bianchi described as “savvy retirement committees.” “Virtually every well run (401k) fiduciary committee I’ve heard of has this on their agenda,” Bianchi said.
A growing Risk to 401k Plans
Legal experts agree that the case highlights the risk to individual 401k account holders amid a noted increase in attacks on both 401k plans and plan participants.
Allan Liska, a Solutions Architect at the cyber threat intelligence firm Recorded Future said his company has seen a rise in attacks like the one on Berman attempting to steal 401k or pension information from victims. “This can be done either through phishing campaigns pretending to be from 401k management companies. These phishing emails often contain subject lines like “Changes to your 401k Plan” or “401k Open Enrollment” and try to trick victims into giving up their usernames and passwords to their 401k plan,” Liska said in an email statement.
In other cases, Recorded Future says that information stealing malware, such as TrickBot, might be used to capture 401k credentials when they infect a victim’s computer. Attackers use these stolen credentials to attempt to access and drain victim’s 401k.
Plan Participants ‘Particularly Vulnerable’
401k accounts are particularly vulnerable to fraud, because they are typically not accounts that account holders interact with frequently, according to Teresa Renaker, an attorney who is representing Ms. Berman in her case against Estée Lauder and Alight. “You don’t check your 401k every day or even every month,” she noted. Plans are only required to mail statements every quarter. “Indeed, participants are generally advised to leave their 401k accounts alone,” Renaker said.
In the case of Ms. Berman, who worked for Estée Lauder’s MAC Cosmetics subsidiary from 1998 to 2006, the complaint alleges that she did not learn of the distributions until all three had taken place. After notifying the plan administrator of the fraud, Ms. Berman made at least 23 calls to the administrator’s Customer Service Center regarding the unauthorized distributions to between October 24, 2016, and January 2, 2017. Eventually, the Customer Service Center informed Ms. Berman that it had completed its investigation, that no money had been recovered, and that her Lauder Plan account would not be made whole for the losses.
An analysis by Washington D.C. based Groom Law Group said the facts of the Berman case “expose some ugly truths” for the 401k industry “about the potential vulnerability of 401(k) plan assets to theft.” In such cases, Groom noted, the fraudsters “typically have acquired sufficient amounts of personal information about the participant to penetrate security protocols.” Historically, 401k plan administrators and record keepers have responded to such fraud incidents by making the victim whole without involving distributions from the plan itself. As Groom notes, the Berman case may suggest that “at least for some plan service providers, the willingness to cover fraudulent withdrawals may have run out.”
Renaker said she also finds it unusual that neither the company nor its record keeper would offer to make her client whole. Federal law is very clear on the fiduciary responsibilities of plan administrators, though she acknowledges that issues around cyber attacks on 401k plans have not been litigated.
“It may signal a change in position by this provider or providers more generally. Generally the record keeper or plan sponsor makes the participant whole,” she said.
A Range of Threats
Security experts say the plans face a wide range of threats in addition to attacks on individual account holders.
Liska of Recorded Future notes that 401k plans must contend with cyber actors seeking to steal plan data en masse from HR departments. He notes the recent Five Guys breach as an example of that. Cyber attackers may also go after the funds directly, as happened with the Oklahoma pension fund. “If attackers can gain access to the funds directly they will be able to steal larger sums of money, which makes them an attractive target,” Liska noted.
Abigail Showman, a Tactical Monitoring Analyst at Flashpoint said her firm has noted “some threat actor interest” in targeting investment accounts across the Deep & Dark Web (DDW) including buying and selling user credentials.
“Interest in such data does not appear to be as widespread as other types of financial accounts such as bank or credit card accounts. However, analysts have identified numerous advertisements, particularly in card shops, advertising the sale of 401k or other types of investment accounts,” Showman noted.
Threat actors who advertise such credentials for sale will provide specific details on the financial organization and type of account, and will also often include an exact dollar amount contained within the account as well, she said.
There have also been some recent instances of threat actors who claim to have illicitly gained access to networks associated with investment firms. In addition to network access, threat actors have also advertised the sale of databases that are allegedly sourced from investment firms. These compromised databases have included personally identifying information on customers, including full name, Social Security Number, date of birth, account information, and customer login credentials.
Purchase of such data can facilitate other forms of financial fraud, Showman said. It is possible that 401k distribution fraud schemes would be part of the mix for fraudsters possessing stolen data. However, FlashPoint analysts have not observed such discussions accompanying the buying and selling of investment-related account data in their monitoring of the cyber criminal underground, or “Deep and Dark Web.”
Headed to the Courts
Should Berman’s case or others go to trial, courts will be asked to spell out specifically that cyber security protections fall under the definition of “fiduciary responsibilities,” clarifying the need of 401k plan administrators to prioritize protections against hacking, malware, account takeovers and other malicious activity.
If that were the case, judges may well look to what other industries like banking and financial services put in place to protect accounts. “While it is not an issue that has been litigated a lot, its pretty clear that fiduciaries have a responsibility to protect assets against this kind of loss,” she said.