NEWS

Potential data breach at ASRS; 44,000 retirees affected

Craig Harris
The Republic | azcentral.com
Those affected can call AllClear ID at 1-855-731-6012 for help. The benefits include credit monitoring and a $1 million identity-theft insurance policy.
  • The ASRS will pay $291,000 to provide identity-protection services because of a possible security breach.
  • The roughly 44,000 retirees affected were enrolled in the ASRS dental plans.
  • The ASRS believes the discs with sensitive information were destroyed, but it is still taking precautions.

Nearly 44,000 state retirees may have had their personal data compromised in a security breach, and the Arizona State Retirement System is spending about $291,000 to provide identity-protection services for them.

The pension system this month began notifying affected retirees, all of whom were enrolled in the ASRS dental plans.

The system has offered to pay for 12 months of services with AllClear ID, the same company that is providing identity-theft protection to customers affected by a breach at Home Depot.

Those affected can call AllClear ID at 1-855-731-6012 for help. The benefits include credit monitoring and a $1 million identity-theft insurance policy.

"We felt it was the appropriate thing to do," said David Cannella, spokesman for ASRS, which is a $33.67 billion fund for roughly 542,000 members. "We want to do what we can to ensure the best protection for our members."

Cannella said the problem began last month when the system sent two unencrypted computer discs containing the first and last names and Social Security numbers of members enrolled in ASRS dental plans to a benefits company, Assurant, in Kansas City, Mo.

Assurant, at the end of last month, informed the ASRS that it had not received the discs, and the trust began searching for them. When the ASRS could not find the discs, the fund began notifying those affected and apologized in writing.

"We don't think there was any wrongdoing, and there's no indication they were stolen," Cannella said.

He added that the discs likely were destroyed in the mail and said the ASRS has since changed its procedures for sending sensitive information.

Cannella said the ASRS now will send sensitive data only with encrypted discs or secure file uploads and will pay for a tracking service to make sure the information arrives at its destination.

"The discs should have been encrypted, and they were not," Cannella said. "We certainly don't want to hide what occurred."

Cannella said letters were sent only to those affected, less than one-tenth of the total members of the state's largest pension fund, which provides retirement benefits for teachers and government workers. He said nearly all of those contacted live in Arizona.

The problem at the ASRS follows a potential security breach at the Public Safety Personnel Retirement System, which is paying about $150,000 for identity-protection services from LifeLock for PSPRS members.

The PSPRS sought assistance from LifeLock earlier this year after a former employee took data that included the names and Social Security numbers of members.

That trust has sued the employee, who has contended he didn't know he took the sensitive data. The case is in Maricopa County Superior Court.

ON THE BEAT

Craig Harris covers state pension systems and agencies, with an emphasis on government accountability and public money.

How to reach him

craig.harris@arizonarepublic.com

Phone: 602-444-8478

Twitter: @charrisazrep