Incident FAQs


Q: I received a letter that my information was on a computer server that was potentially accessed by unknown persons. What does that mean?

A: The Retirement System contracts with vendors to provide SFERS members with on-line access to their account information.  One of the vendors, 10up Inc., set up a test environment on a separate computer server which included a database containing data from approximately 74,000 SFERS member accounts as of August 29, 2018.  The server data was not subsequently updated with information past that date.

On March 21, 2020, 10up Inc. learned that this server had been accessed by an outside party on February 24, 2020.  The vendor promptly shut down the server and began an investigation.  The vendor found no evidence that the information of SFERS members was removed from its server, but at this time, it cannot confirm that the information was not viewed or copied by an unauthorized party.  On March 26, 2020, the vendor notified SFERS of the server breach and both SFERS and the vendor continue to investigate the potential exposure of data.

Q: My colleague got a letter that said that personal information might have been compromised through a potential data breach involving SFERS members.  I did not receive a similar letter. What’s going on?

A: The potential data breach only involved SFERS active, inactive, retired members and continuants as of August 29, 2018.  If you became a SFERS member since August 2018, none of your personal data was involved in the potential breach.

Notices to impacted members were mailed to the member’s address on record with SFERS.  If you have recently moved, active members should notify your department human resources staff of your new address and retired members should notify SFERS directly of your change of address.

Q: I received the notice of the data breach from SFERS, but my notice did not include an offer of a complimentary one-year membership for Experian’s identity theft protection that was included in other members’ breach notices. Why was I not offered the data breach services?

A: The offer was made only to those individuals that may face an increase in risk for identity theft.

Q: When did this incident occur?

A: The server breach occurred on February 24, 2020.  On March 21, 2020, 10up Inc. learned that this server had been accessed by an outside party and 10up notified SFERS of the incident on March 26, 2020.

Q: Why is there a delay between the incident and notifying me that this happened?

A: Since learning of the potential breach, the vendor – 10up Inc., SFERS, and the City Attorney’s Office have conducted extensive investigations of the incident.  SFERS and City Attorney’s Office investigations and finalizing the Notice of Breach and the appropriate breach monitoring services were impacted by the City’s Shelter-in-Place order.

Q: How did this happen?

A: The Retirement System contracts with vendors to provide SFERS members with on-line access to their account information.  One of the vendors, 10up Inc., set up a test environment on a separate computer server which included a database containing data from approximately 74,000 SFERS member accounts as of August 29, 2018.  On March 21, 2020, 10up Inc. learned that this server had been accessed by an outside party on February 24, 2020.

Q: Whose information was compromised?

A: Data for all active, inactive and retired SFERS members and SFERS continuants as of August 29, 2018 were included in the data file that was on the server breached by an outside party.

Q: Was there any employment application data on the computer server?

A: No.

Q: Did the computer server contain any information about my phone number(s), my billing address, or other information about me?

A: Yes – home address for some members and potentially your cell phone number if it was in the member portal on or before August 2018.

Q: How many persons were impacted?

A: Information of 74,000 current and prior members was impacted.

Q: Was the information password protected or encrypted?

A: Certain data on the breached database was encrypted; however, the personal data identified in the Notice of Breach you received was not password protected or encrypted.

Q: What specific information was on the vendor’s computer server?

A: Social Security Numbers (SSN) and Bank Account Numbers were not included in the data file that was potentially breached.

For Active SFERS Members:

If you had not registered on the SFERS website, the specific information pertaining to you as of August 29, 2018 that may have been exposed due to the breach included the following:

  • Full Name
  • Full Home Address
  • Date of Birth
  • Designated Beneficiary Full Name (if any)
  • Designated Beneficiary Date of Birth
  • Designated Beneficiary Relationship to Member

If you had registered on the SFERS website, the specific information pertaining to you as of August 29, 2018 that may have been exposed due to the breach included the following:

  • Full Name
  • Full Home Address
  • Date of Birth
  • Designated Beneficiary Full Name (if any)
  • Designated Beneficiary Date of Birth
  • Designated Beneficiary Relationship to Member
  • SFERS Website UserName, Security Questions and Answers

For Retired SFERS Members and Continuants:

If you had not registered on the SFERS website, the specific information pertaining to you as of August 29, 2018 that may have been exposed due to the breach included the following:

  • Full Name
  • Full Home Address
  • Date of Birth
  • Designated Beneficiary Full Name (if any)
  • Designated Beneficiary Date of Birth
  • Designated Beneficiary Relationship to Member
  • IRS Form 1099R Information, excluding SSN
  • Bank ABA (routing) Number if you have Direct Deposit

If you had registered on the SFERS website, the specific information pertaining to you as of August 29, 2018 that may have been exposed due to the breach included the following:

  • Full Name
  • Full Home Address
  • Date of Birth
  • Designated Beneficiary Full Name (if any)
  • Designated Beneficiary Date of Birth
  • Designated Beneficiary Relationship to Member
  • IRS Form 1099R Information, excluding SSN
  • Bank ABA (routing) Number if you have Direct Deposit
  • SFERS Website UserName, Security Questions and Answers

Q: Do you suspect that my information has been used fraudulently?

A: We have no evidence suggesting that information on the server has been misused.

Q: Has anyone been adversely affected as a result of their information being potentially revealed to an outside party?

A: As of May 26, 2020, there have been no reports of members being adversely affected as a result of this incident.

Q: Should I close my bank account?

A: There were no bank account numbers on the database.

Q: Should I close my credit card or other accounts?

A: No account number information was contained in the computer server database. If your password was in the data file, we recommend you change that password wherever used.

How Do I…?