The San Francisco Employees’ Retirement System has suffered a data breach, with data belonging to some 74,000 members likely stolen.

The data breach came via the third-party web development firm 10up Inc. which hosts the website for SFERS. 10up placed a database of 74,000 members dating from August 2018 on a test server that was hacked Feb. 24. The breach was not discovered until March 21.

Data potentially stolen includes full names, home address, dates of birth, beneficiary details, including name, date of birth and relations as well as SFERS’ website username and security questions and answers. For retired SREFS members, the information also included IRS forms and bank routing numbers.

The breach notice from SFERS states that 10Up has no evidence that the member details were removed from the server but likewise cannot confirm that the data was not viewed or copied.

In what has become a textbook response to data breaches, SFERS has reset all user passwords and is offering members a free year of identity theft protection from Experian IdentityWorks.

“The SF Employee’s Retirement System breach is a good reminder that even applications on test systems need to be secured against threats, whether they are internal (bad actors in the organization and its partners) or external (coming from hackers trying to exploit vulnerabilities),” Jayant Shukla, chief technology officer and co-founder of web application security form K2 Cyber Security Inc., told SiliconANGLE. “Vulnerabilities, misconfigured servers and misused credentials are among the top reasons systems get breached.”

Trevor Morgan, product manager at data security specialist comforte AG, noted that hackers will always find a way through or around perimeter security.

“However, by taking effective measures to protect data in ways that go beyond ordinary encryption and perimeter defenses — measures such as tokenization — the detrimental impact of these breaches can be eliminated,” Morgan said. That’s because, he added, “tokenization replaces sensitive data with harmless and representational tokens, so no matter who gets ahold of that data, and no matter where that data travels, it prevents any inherent meaning from being conveyed. Sensitive information remains hidden, and the data becomes worthless to those who would steal it, sell it or use it to compromise others.”

Image: SFERS