Employee Benefits & Cyber Attacks (Questions/Answers)

Your employees may understand that they risk identity theft every time there’s a major cyber breach at a store they’ve patronized. But do they know that even more of their personal information is available to hackers via their employee benefits plans? It’s a risk that an increasing number of business owners and CEOs have had to confront. How to safeguard employee data — and avoid the significant expense of a managing a breach response — are just some of the questions that business leaders face around this issue.

Employee Benefits

Why are benefit plans so attractive to hackers?

Virtually any type of employee benefit plan is vulnerable to hackers. These include pension plans, health and welfare plans, and retirement savings accounts. All represent a rich source of personally identifiable information (PII).

First, hackers can gain access to the employee’s personal health information. Armed with that information, cyber thieves can do everything from file fraudulent insurance claims, get prescription medication, and even blackmail the employee.

Hackers may also gain access to the actual employment benefit accounts, potentially using the accrued amounts as fraudulent assets to obtain lines of credit under the employee’s name.

Of course, being able to completely steal the employee’s identity is one of the most concerning threats. And given that employee enrollment forms will have birthdates, email addresses, official residence addresses, and social security numbers — at a minimum — there’s a strong potential for wide-scale identity theft using the PII.

What makes the plans so vulnerable to hacking?

The average worker assumes that accessing his or her employer’s cash reserves and financial information would be the more attractive target than that of its employees. But a company is one entity and can move quickly to protect its holdings after a firewall is breached. A business’ large number of employees, however, represent better odds for a cyber attack. Even if many of them are able to protect their PII after a breach is discovered, the odds of capturing at least some employees’ personal data are still high.

Employee benefit planning is often handled by the third-party provider. And even when these plans are managed internally, the business may be using software that’s vulnerable to attack. For convenience, the employee plan programs are designed to be accessible to more than one agency or company, and by using different platforms.

Yet the same technology that makes the software so easy for multiple parties to access is also what can make it more vulnerable to cyber attack.

Why do employee benefit plan breaches keep happening?

Unfortunately, pension planners, insurance companies and other partner providers still rely on “old school” tech to stop hackers. While anti-virus software might be helpful to stop non-corporate cyber attacks, it’s not always up to the task of more sophisticated hackers.

Also, federal regulations don’t consider employee benefits information as sensitive as personal health records. For that reason, regulations aren’t as strong on the pension side of benefits as they are on the medical records aspect.

What can be done to protect your employees?

The threat to employee benefit plans information is ever-growing. But the good news is that business leaders can put several safeguards in place, protecting that information on several fronts.

If you use an outside provider to oversee your employee benefits programs, it’s essential to carefully examine what safeguards those partner providers have in place to protect the information they handle. If your own staff is handling the benefits program, it’s essential that they receive the most advanced and up-to-date training available. Even staffers proficient in software and administrative safeguards may not be aware of the latest viruses and scams by which hackers may gain entry.

Perhaps most crucially, you’ll need to set up a chain of command and strict protocol about how all information is handled. From your own IT specialists and human resources administrators to outside benefit plan providers, access should be limited to the scope of that department’s work. The more sensitive the information is, the fewer people should have access to it.

What’s the best way to implement these safeguards?

Hiring a reputable firm of cybersecurity experts will immediately put technological safeguards in place to protect employee PII. These experts can also train business leaders and relevant staffers about how to administer their employee benefits plans accounts safely — and how to select third-party benefit program providers that also put cybersecurity first.


I first hired John directly as an employee back in 1999.
He was an excellent addition to a growing team at a small technology company. Subsequent to the sale of the company, John branched out on his own and started an IT consulting firm. Since that time, I have not used anyone else. John is capable, personable, has integrity and is also very likable. I would recommend him without reservation.”

  Kevin DiCerbo   

Connect With OffSite IT

    • Los Angeles / Orange County 22607 La Palma Avenue Suite 409 Yorba Linda, CA 92887
    • Chicago 6912 Main Street Suite 214 Downers Grove, IL 60516
    • 1-866-828_-6674 info@offsiteIT.com