State Treasurer Denise Nappier announced Wednesday that 21 Connecticut Higher Education Trust college savings accounts were recently breached, resulting in more than $1.4 million in unauthorized withdrawals.
Nappier said her office was advised of the breach by TIAA-CREF Tuition Financing Inc., the program manager for the CHET Direct 529 savings plan. Unauthorized individuals were apparently able to gain access to the customers’ online accounts, making a total of 44 unauthorized withdrawals. The accounts were not on any state computer system.
Of the $1.4 million withdrawn, Nappier said $442,540 was recovered or stopped. TIAA-CREF Tuition Financing Inc. said it will fully restore all affected accounts. State funds will not be used to restore the missing money. Also, the company will provide account holders with two years of identify fraud protection services, identity restoration services and $1 million in identity theft insurance coverage.
Chad Peterson, a spokesman for TIAA-CREF, said it doesn’t appear the thieves obtained the account holders’ personal information from TIAA-CREF’s website or any of its associated vendors. Rather, he said, the facts show the culprits obtained the personally identifiable information from a source other than Tuition Financing Inc. or the Connecticut Higher Education Trust, also known as CHET. That information was then used to gain unauthorized access to the savings accounts and illegally redirect payments, he said.
“We contacted all impacted account holders to assure them that they will not suffer any financial loss as a result of this incident,” he said. “Further, we have examined all of the 529 plans managed by TFI, and have found no evidence of any additional fraud or unauthorized account access.”
State Treasurer Denise Nappier said this is the first time her office is aware of any fraudulent activity in CHET’s 20-plus year history.
“I am deeply concerned that these criminal activities have impacted CHET account holders,” she said.
There are roughly 150,000 CHET accounts. About 120,000 are CHET Direct accounts, which allow participants to make their own investment decisions and deposit and withdraw funds online. The CHET Advisor program, which is managed by The Hartford, was not affected by the breach. That program involves a professional adviser who makes the investment decisions.
Federal, state and local law enforcement agencies are investigating the breach.
Deputy Treasurer Larry Wilson said the Treasurer’s Office first received a complaint in early April from a state lawmaker who had a constituent that noticed money was missing from their CHET account. Wilson said the office initially thought it was a “one-off” problem until TIAA-CREF and law enforcement contacted the state agency about the breach earlier this month. Wilson said there are no plans at the moment to change program managers for the college savings plan. He said the office is focused on helping the affected account holders.
Nappier’s statement said TIAA-CREF’s Tuition Financing Inc. has since implemented “system enhancements” and “additional internal controls and extra manual reviews aimed at helping to protect against future fraudulent activity.” She said the treasury is monitoring those security initiatives and has requested an independent audit of fraudulent account activity and an independent review of the company’s cyber, telephone and manual security programs.
“The review will be important in our assessment of the situation,” Wilson said.
Was this article valuable?
Here are more articles you may enjoy.