Cyber Incident Victim: San Francisco Employees Retirement System

The San Francisco Employees’ Retirement System (SFERS) experienced a data breach involving unauthorized access to a vendor-managed test environment database containing member information. On February 24, 2020, an outside party accessed a server hosted by vendor 10up Inc., which stored data for approximately 74,000 SFERS members. The vendor discovered the intrusion on March 21, 2020, shut down the compromised server, and initiated an investigation. SFERS was notified of the breach on March 26, 2020, after which both organizations collaborated on the investigation. Forensic analysis found no evidence that member data was exfiltrated but could not confirm whether unauthorized viewing or copying occurred. The exposed database contained information from no later than August 29, 2018, as it was part of an outdated test environment.

Compromised data varied based on member status and site interactions. All affected individuals had names, addresses, dates of birth, and beneficiary details exposed. Retired members additionally had IRS Form 1099R information (excluding Social Security Numbers) and bank routing numbers for direct deposits compromised. Members who had registered on SFERS’ website also lost login credentials and security question answers. No Social Security Numbers or full bank account details were stored in the breached database. SFERS offered impacted members a complimentary one-year subscription to Experian’s IdentityWorks credit monitoring service and advised vigilance against phishing attempts leveraging exposed security questions. The organization emphasized direct verification of any suspicious communications purporting to originate from SFERS.