Compliance April 30, 2024

J.P. Morgan Data Breach Exposes 451,000 Plan Participants’ Information

Participant names, addresses, Social Security numbers and bank information were exposed in a breach the bank learned of in February.

Reported by

More than 451,000 plan participants at J.P. Morgan Chase were impacted by a data breach in which their personal information was exposed, according to a regulatory filing that the company made to the Office of the Maine Attorney General on Monday. 

The participant information that was exposed included participants’ names, addresses, Social Security numbers, payment and deduction amounts, as well as bank routing and account numbers if the participants had set up direct deposit. 

Never miss a story — sign up for PLANSPONSOR newsletters to keep up on the latest retirement plan benefits news.

The breach was not part of a cyberattack and there is no indication of data misuse, a J.P. Morgan spokesperson told PLANSPONSOR. A notice of the data breach that J.P. Morgan submitted to the Maine Attorney General revealed that on February 26, J.P. Morgan learned of a software issue that caused certain reports run by three authorized system users to include plan participant information that they were not entitled to see. 

The three users were employed by J.P. Morgan customers or their agents, according to the notice. 

The system users ran a limited number of reports between August 26, 2021, and February 23, 2024. 

Lynne Atchison, executive director of benefit payment services, wrote in the disclosure notice to the Maine AG that J.P. Morgan “promptly addressed the access and applied a software update” once they were aware of the issue.  

The bank is offering individuals affected by the breach two years of identity theft protection services through Experian’s IdentityWorks platform. J.P. Morgan is also making its call center available to address participant questions.  

“Safeguarding client information is a priority,” a spokesperson said. 

In 2023, a cyberattack on data transfer software firm MOVEit, which is owned by Progress Software Corp., ended up revealing the private data of nearly 95,000 people across more than 2,500 firms, according to anti-malware company Emsisoft. The breach included retirement plan participants exposed via services vendor Pension Benefit Information LLC; firms hit included Fidelity Investments, TIAA and the California Public Employees’ Retirement System, among others. 

Later in 2023, there was a separate breach of Infosys McCamish Systems LLC, a U.S. subsidiary of Infosys BPM Ltd., based in Bangalore, India, that shut down access for a number of nonqualified compensation benefit accounts held with firms including Ascensus’ Newport, T. Rowe Price and Vanguard. 

In both incidents, impacted firms responded by providing identity theft protection to customers affected by the breach as hackers can sometimes use or sell the data to try and defraud consumers. 

Compliance April 30, 2024

California Marketer Claims Plan Change Caused Recordkeeper to Retaliate

A California plan sponsor has sued the provider it removed, 401(k) Easy, claiming the company perpetrated a scheme to defraud the plan.   

Reported by

The retirement plan trustee for a Los Angeles marketing agency, NVE Experience Agency LLC, has sued retirement plan recordkeeper and third-party administrator to the plan—Pension Systems Corporation doing business as 401(k) Easy—alleging the firm took $56,934.50 in retirement assets directly from the plan, in a scheme to defraud the plan and block the plan’s new, incoming recordkeeper.  

Each year NVE had renewed 401(k) Easy’s recordkeeping and third-party administration services, until 2023, when it notified the company of the plan’s intention to change recordkeepers at the end of the calendar year.

Get more!  Sign up for PLANSPONSOR newsletters.

The company claims its decision to cut business ties with 401(k) Easy prompted the recordkeeper firm to punish NVE with excessive fees and frustrating the plan’s move to the new recordkeeper, attorneys argue in the complaint brought by NVE’s retirement plan trustee Brett Hyman. The lawsuit was filed in the U.S. District Court for the Central District of California.

“In reaction, and in an apparent attempt to force NVE to pay excessive fees that 401(k) Easy had unilaterally and arbitrarily set, 401(k) Easy repeatedly blocked all access by plaintiffs and plan participants to the online administration and investment process of the plan which prevented NVE from depositing contributions to, and plan participants from making withdrawals from, the plan,” argued NVE attorneys, in the complaint. “Further, 401(k) Easy created a false paper trail, backdating documents, to cover up that 401(k) Easy had misappropriated assets of the trust for the plan without plaintiffs’ knowledge or consent.”

NVE is requesting the court order James Gilbert—founder and CEO of Pension Systems Corporation—to repay the assets misappropriated and unilaterally transferred from the plan, with lost earnings and interest.

Blocking participant’s access to the plan was done at Gilbert’s instruction, argues the complaint.   

“All of 401(k) Easy’s actions with respect to the plan were done at the direction of Defendant Gilbert, who actively participated in this fraud on the plan,” argue Hyman’s attorneys.

The complaint also seeks an injunction, barring the company and Gilbert from performing services to any Employee Retirement Income Security Act-covered employee benefit plans in the future; award of attorney’s fees and costs; and the award of damages. 

NVE hired 401(k) Easy to provide services to the plan in 2011.

The Night Vision Entertainment 401(k) P/S Plan held $2.873 million in retirement assets for 61 participants as of the firm’s most recent filing to the Department of Labor.

Representatives of the attorneys for neither 401(k) Easy nor the plaintiff responded to requests for comment. Representatives of NVE Experience Agency, LLC did not respond to a request for comment.

The case is NVE Experience Agency, LLC in its capacity as Plan Sponsor and Plan Administrator of the Night Vision Entertainment Inc 401(k) Plan et al. v Pension Systems Corporation (DBA) 401(k) Easy.

«