A pension fund for Oklahoma state government retirees was the target of a cyberattack last month that ripped off $4.2 million after one employee’s email account was compromised, officials announced last week. The incident, which occurred Aug. 26, affected the Oklahoma Law Enforcement Retirement System, or OLERS, which supports retired state troopers, park rangers and campus police at public universities.
The agency that runs the $1 billion fund said on its website that all payments will be paid on schedule, and that none of its roughly 1,500 beneficiaries “have been impacted or put at risk.” OLERS officials have declined to comment further, citing an FBI investigation, though the fund’s director told the Oklahoman newspaper, which first reported the hack, that the money that was stolen was being managed by a third-party investment manager on the fund’s behalf, and that $477,000 has already been reclaimed.
“We are certain the stolen funds will be recovered,” the statement on the OLERS website reads. “Most importantly, no pension benefits to members or beneficiaries have been impacted or put at risk. All benefits will continue to be paid in a timely fashion as always.”
Authorities have not said how the email-account breach that led to the theft occurred. Like most state agencies in Oklahoma, OLERS uses an email system administrated by the IT division of the Office of Management and Enterprise Services. A spokesman for OMES did not answer a phone call seeking comment on the theft from the pension fund.
Oklahoma is hardly the first state where a government pension fund has been the target of a cyberattack with financial consequences. In November 2017, the pension fund serving Iowa state retirees lost “hundreds of thousands” of dollars after it was compromised.
A spokeswoman for Oklahoma Gov. Kevin Stitt told the Associated Press that he was “very frustrated” by the news of the pension-fund hack. Stitt, a Republican elected in 2018, has taken several actions on the state’s IT governance during his first year in office. In late March, he ordered an audit of the IT division after its parent agency, OMES, requested an additional $16 million to cover unpaid bills. In July, he installed Matt Singleton, a former chief information officer for the state’s education system, as statewide chief information security officer.
Separately, the Oklahoma Legislature spent part of its 2019 session deliberating a bill that would’ve moved the IT division from OMES to an independent agency, but also would’ve rolled back the consolidation efforts made in recent years by giving individual agencies more authority to set their own technology priorities and staffs. The bill did not advance out of the state House.