The latest financial services data breach has siphoned funds from Section 529 college savings accounts.
Last week Connecticut State Treasurer Denise Nappier announced that 21 Connecticut Higher Education Trust (CHET) college savings accounts were recently breached, resulting in more than $1.4 million in unauthorized withdrawals.
According to published reports, Nappier said her office was advised of the breach by Tuition Financing Inc. (TFI), TIAA-CREF’s program manager for the CHET Direct 529 savings plan. Unauthorized individuals were apparently able to gain access to the customers’ online accounts, making a total of 44 unauthorized withdrawals.
Of the $1.4 million withdrawn, Nappier said $442,540 was recovered or stopped, and TFI said it will fully restore all affected accounts. Account holders will be provided with two years of identify fraud protection services, identity restoration services and $1 million in identity theft insurance coverage.
A TIAA-CREF spokesman said it doesn’t appear that the thieves obtained the account holders’ personal information from TIAA-CREF’s website or any of its associated vendors, but rather obtained the personally identifiable information from a source other than TFI or the CHET. That information was then used to gain unauthorized access to the savings accounts and illegally redirect payments.
Reports indicate that word of the breach came via a complaint in early April from a state lawmaker who had a constituent that noticed money was missing from their CHET account. Officials thought it was a "one-off" problem until TIAA-CREF and law enforcement contacted the state agency about the breach earlier this month.
CHET account data and online systems are housed at and maintained by TFI and its service providers, and has “implemented system enhancements, additional internal controls, and extra manual reviews aimed at helping to protect against future fraudulent activity,” according to a statement from the Connecticut Treasurer’s office. Nappier says her office has also requested an independent audit of fraudulent account activity and an independent review of TFI’s cyber, telephone and manual security programs.
