State Treasurer Denise Nappier
announced Wednesday that 21 Connecticut Higher Education Trust college savings
accounts were recently breached, resulting in more than $1.4 million in
unauthorized withdrawals.
Nappier said her office was
advised of the breach by TIAA-CREF Tuition Financing Inc., the program manager
for the CHET Direct 529 savings plan. Unauthorized individuals were apparently
able to gain access to the customers' online accounts, making a total of 44
unauthorized withdrawals. The accounts were not on any state computer system.
Of the $1.4 million withdrawn,
Nappier said $442,540 was recovered or stopped. TIAA-CREF Tuition Financing
Inc. said it will fully restore all affected accounts. State funds will not be
used to restore the missing money. Also, the company will provide account
holders with two years of identify fraud protection services, identity
restoration services and $1 million in identity theft insurance coverage.
Chad Peterson, a spokesman for
TIAA-CREF, said it doesn't appear the thieves obtained the account holders'
personal information from TIAA-CREF's website or any of its associated vendors.
Rather, he said, the facts show the culprits obtained the personally
identifiable information from a source other than Tuition Financing Inc. or the
Connecticut Higher Education Trust, also known as CHET. That information was
then used to gain unauthorized access to the savings accounts and illegally
redirect payments, he said.
"We contacted all
impacted account holders to assure them that they will not suffer any financial
loss as a result of this incident," he said. "Further, we have
examined all of the 529 plans managed by TFI, and have found no evidence of any
additional fraud or unauthorized account access."
State Treasurer Denise Nappier
said this is the first time her office is aware of any fraudulent activity in
CHET's 20-plus year history.
"I am deeply concerned
that these criminal activities have impacted CHET account holders," she
said.
There are roughly 150,000 CHET
accounts. About 120,000 are CHET Direct accounts, which allow participants to
make their own investment decisions and deposit and withdraw funds online. The
CHET Advisor program, which is managed by The Hartford, was not affected by the
breach. That program involves a professional adviser who makes the investment
decisions.
Federal, state and local law
enforcement agencies are investigating the breach.
Deputy Treasurer Larry Wilson
said the Treasurer's Office first received a complaint in early April from a
state lawmaker who had a constituent that noticed money was missing from their
CHET account. Wilson said the office initially thought it was a
"one-off" problem until TIAA-CREF and law enforcement contacted the
state agency about the breach earlier this month. Wilson said there are no
plans at the moment to change program managers for the college savings plan. He
said the office is focused on helping the affected account holders.
Nappier's statement said
TIAA-CREF's Tuition Financing Inc. has since implemented "system
enhancements" and "additional internal controls and extra manual
reviews aimed at helping to protect against future fraudulent activity."
She said the treasury is monitoring those security initiatives and has
requested an independent audit of fraudulent account activity and an
independent review of the company's cyber, telephone and manual security
programs.
"The review will be
important in our assessment of the situation," Wilson said.
Click
here for the original article from News Observer.