Received today via email:
May 2, 2018
Re: UCRS Pension Payment Thefts
A UCSC Emeriti Association member reports the following alarming story. Our member (OM, for privacy reasons) is very security conscious and computer savvy. Last Fall, OM's monthly pension direct deposit did not arrive at the bank.
Attempts to log into atyourserviceonline.ucop.edu f
ailed. OM's password was no longer accepted! Someone had logged into OM's account approximately two weeks before the end of the month (according to UC records) so changes would take effect by the end of the month. They changed OM's password, and changed the direct deposit destination of the pension payment to another bank.
OM claims OM received no emails for any of these changes (spam folder checked too). OM made a police report as did UC. UC says "The breach of [OM’s] information did not occur as a result of a breach in the Retirement Administration Service Center system." UC refused to make good the missing payment to OM, claiming "The plan does not allow the monthly retirement income to be paid more than once a month.” So UC has essentially declared that it is not their fault and once they make a deposit in OM’s name, no matter where the deposit is directed, the money has been spent and they cannot reissue the benefit. On advice from RASC at UCOP, OM appealed UC's decision, providing extensive documentation, but finally in mid March received UC's decision on OM's appeal--negative. UC concluded, “... [OM] has exhausted all appeal procedures available under the Plan or through the University regarding UCRP benefits.” Furthermore, the missing payment not received by OM was reported by UCRP to the IRS as income to OM!
Just one more thing: TWO DAYS EARLIER, another retiree on ANOTHER CAMPUS had the exact SAME THING happen, PENSION REDIRECTED to the SAME BANK. This is documented in the Berkeley police report made by UC. (OM has a copy.) It would be surprising if these two cases are the only ones that have happened.
There are three lessons here for every retiree:
1. If someone gets your login info or SSN, they can steal not only your pension payment, but also all your personal information that UC has, putting all your other accounts at risk.
2. Monitor your pension deposit monthly to detect and stop theft immediately.
3. Based on this case, UC will not make good your stolen payment, UC accepts no responsibility.
UCRS password protection is inadequate. It needs a second validation: something you know (password) + some trusted device you have in your possession (telephone). Fidelity, contracted by UC for UC savings accounts (403b, 457, DCP), does require a second validation. They send a number to your phone by text or voice that you must enter to prove you are the owner of the account. So does CitiCard, and most other financial institutions, because it is more secure.
The hacker may know what you know, but can’t answer your phone. Even Gmail has adopted 2-step validation. UC DOES NOT require that second validation to assure that the person changing the direct deposit of pension payment is the person that owns the account and carries the phone of the owner of the account. Is UC carrying out its fiduciary responsibilities to assure that the correct person receives the pension payment?
Our credit card companies protect us from unauthorized charges, but UC is not protecting its retirees against unauthorized changes of direct deposit destination and is not making good a stolen pension payment. Had UC required two-factor validation, password + phone, OM would have received the Fall pension payment and the hacker would have failed on both campuses.
President, UCSC Emeriti Association