Skip to main content

You are here


Plan Sponsor, RK Sued for Fiduciary Breach in 401(k) Account Hack


A new suit has been filed, alleging “reckless actions in allowing an unknown individual to prey on and steal hundreds of thousands of dollars from the retirement savings of the Plaintiff…”

More specifically, the suit was filed on behalf of Heide Bartnett, 59, a retired former employee of Abbott Laboratories, who had left her savings in the Abbott Corporate Benefits Stock Retirement Plan. The suit, filed against the fiduciaries of the Abbot Labs retirement plan, and Alight Solutions, LLC, the recordkeeper for the plan. 

The suit alleges that the defendants “failed to enforce a security question routine set up for security purposes on the Defendants’ website”… and “instead simply provided a one-time code over the phone that was used to loot Ms. Bartnett’s account.” And then, “rather than communicating with Ms. Bartnett via email concerning changes to her account, as Defendants knew Ms. Bartnett preferred, they mailed notices, allowing the theft to be consummated and $245,000 to be transferred out of the country via email to an Indian IP address before Ms. Bartnett could take any steps to halt the fraud.”

‘Control’ Voice

The suit, which claims Alight was a fiduciary to the plan, cites contract services it provided, including administration, recordkeeping and information management services for the plan. Now, while recordkeepers typically are positioned as agents of the plan sponsor/employer, and thus avoid fiduciary status, the suit claims that was not the case here because Alight not only “operated Abbott Corporate Benefits’ telephone customer service center and website… both of which provided Plan participants the ability to manage their accounts, including requesting distribution of benefits.” In sum, “Alight exercised control over Plan assets by directing distributions from participants’ accounts, including the unauthorized distributions it allowed from Ms. Bartnett’s account.”

Noting that “defendants knew or should have known of the possibility of individuals attempting to make unauthorized withdrawals from retirement plans it oversaw or managed, due to prior similar incidents,” the suit alleges that, on or about Dec. 29, 2018, at 10:56 PM Central Time, an unknown user accessed Ms. Bartnett’s account via the internet, and chose the “forgot password” option. They then incorrectly entered four digits of the Social Security number and birth date, had those bad entries challenged, and the opted to receive a one-time code via e-email, allegedly to Bartnett’s email account, though she has no record or memory of receiving that email. Regardless, that one-time code was subsequently entered, access granted, password changed, and connected to a SunTrust bank account.

Then on Dec. 31 someone contacted the Abbott Benefits Service Center, claiming to be Ms. Bartnett, albeit from a phone number “which did not belong to Ms. Bartnett, had never been used by Ms. Bartnett, and was not associated with Ms. Bartnett’s Plan account.” They then allegedly told the customer service representative that they had tried to process a distribution online, but were unsuccessful, at which point the CSR asked if the caller still lived at the address on file “thereby providing Ms. Bartnett’s personal information to the Impersonator.” 

‘Snail’ Fail?

Then the CSR told the caller that a new bank account that has been added to the account, and that that had to be on file for seven days before money could be transferred to the newly added account. And then confirmed that they could go online and transfer money the following Monday. And then, on Jan. 1, “…despite Ms. Bartnett’s preferred method of communication being via email, ‘snail mailed’ a ‘Direct Deposit Address Addition’ notice to Ms. Bartnett, advising her of the change made to her direct deposit access to her account.” The suit notes that if the defendants had instead sent an email to Bartnett, she would have had an opportunity to question the account addition. 

On Jan. 4, 2019—no funds yet having been transferred—Ms. Bartnett’s husband attempted to access the account, but the password had been changed. However, he properly answered the security question asked by the site and changed her account password. This change was communicated to plaintiff Bartnett via email.

House Call

On Jan. 8, 2019, about 8:00 in the morning, the imposter once again—and from a strange phone number—called the Abbott Benefits Support Center, again claiming to be Bartnett. Once again, they opted for the one-time code, rather than responding to the personal security questions—though once again, the Bartnett’s don’t recall ever receiving the code. And then, the imposer asked about a transfer of funds, claiming it was needed for purchasing a house. “At that time, upon the Impersonator’s request, Defendants authorized $245,000 to be transferred from Ms. Bartnett’s account[i] to the SunTrust Bank account.”

On the next day, defendants… sent a letter via first class U.S. Mail to Bartnett, advising her of the transfer of funds. A letter she did not receive until Jan. 14, 2019. 

The impersonator made two additional calls to the call center on Jan. 9, 2019, inquiring about the balance and asking about the status of the wire transfer (they were told the funds would be transferred on Jan. 14, 2019).

On Jan. 15, 2019, Bartnett called Abbott Corporate Benefits to report that she had discovered that money was missing from her Plan account—and at that point, the defendants froze the account and advised her to contact the police.

With some effort, law enforcement was able to track back the IP address of the account access attempts to an individual living in the city of Panta, in the state of Bihar, in the country of India.

The suit chronicles Bartnett’s subsequent efforts at recovery; $48,991 from withheld taxes were redeposited, and SunTrust managed to get back $59,494.02. But that, according to the suit appeared to be the end of the recovery, save for what the suit describes as “a take-it-or-leave-it offer to restore just 10% of the funds that had been stolen from Ms. Bartnett’s Plan account.”

What This Means

This is not the first time that the immediacy of account access, coupled with a decidedly slower process of transaction confirmations has produced litigation, or where a customer service center operation has played a role and been a party to it (see Recordkeeper, Plan Sponsor Charged in 401(k) Account Theft). 

While there has certainly been a growing concern about cybersecurity risks, there have also been recent cases where individuals within the sponsoring employer and others where TPA or recordkeeping staff have taken advantage of their access to misappropriate funds. 

And while this activities here weren’t recent, we stand here today on the brink of what could be an enormous increase in the number and size of emergency transaction requests. This suit—and perhaps many more that haven’t risen to this level—serve as reminders that our retirement savings are threatened by more than the Coronavirus.

[i]As of Dec. 31, 2018, Bartnett had a total of $362,510.84 in her plan account.