Cyber crooks have pilfered roughly $1.4 million from 21 account holders at the Connecticut Higher Education Trust (CHET), according to reports.
The CHET is a college savings program used by students to fund costs, such as tuition, fees, room and board, books and equipment, at any accredited university, college or vocational school nationwide. The Trust oversees some 150,000 accounts.
On Wednesday, Connecticut State Treasurer Denise Nappier said hackers gained access to 21 accounts to make 44 unauthorized withdrawals totaling $1.4 million. More than $442,000 was subsequently recovered or the transfers stopped, officials said.
TIAA-CREF Tuition Financing Covers Losses
The burgled accounts will be restored by TIAA-CREF Tuition Financing (TFI), the CHET Direct program manager, which alerted the state Treasury about the breach. CHET account information and online systems are stored and maintained by TFI and third-party service providers, reports said. TFI has since upgraded its security systems to guard against another incident.
Affected CHET account holders will be provided with two years of identity fraud protection services, identity restoration services and $1 million in identity theft insurance coverage, Nappier said. "This is this first time that we are aware of fraudulent account activity in CHET's 20+ year history, and I am deeply concerned that these criminal activities have impacted CHET account holders,” she said.
Right now the robbers remain at large. The state Treasury wants a post mortem, independent review of fraudulent account activity and an independent audit of TFI’s cyber, telephone and manual security programs, according to the Hartford Courant. Federal, state and local law enforcement agencies are conducting a coordinated investigation, the report said.
Less than two months ago, Connecticut released a new Cybersecurity Action Plan covering the public and private sector, endorsed by Governor Dannel Malloy and authored by Arthur House, the state’s cybersecurity risk officer (CRO), and CIO Mark Raymond. The officials positioned it as a “call to arms to prepare for, prevent, respond to and recover from threats to our cybersecurity infrastructure at the state, local and private sector levels.”
A year ago, the Governor created the CRO position, named House to fill the slot and tasked him with making the state’s cybersecurity strategy his first priority.