City of Detroit retirees data breach causes concern

There is a new warning about an alleged data breach affecting some City of Detroit retirees. Personal information including Social Security Numbers appear to have been exposed online.

"I’m just worried about people having their Social Security out on the dark web and people buying cars, homes and all that kind of thing," said Kathleen Weldon.

And you would be concerned too, if you found your co-workers’ personal information as well as your own on what’s supposed to be a secure platform.

It’s what Weldon. a Detroit retiree, stumbled upon Wednesday morning after setting up her account on the City of Detroit retirement system’s new online program.

"I saw several links called lists, and I clicked on one - and it was my name and this first list was eight pages - my name and several other people," she said. "Some of them I knew, some of them I didn’t know. It was their name and it was their Social Security Number."

Weldon says there were at least 10 other links with retirees’ personal information under the documents page. She showed FOX 2 the redacted list of her fellow retirees’ personal information and we took the extra precaution of obscuring it further.

She told the retirement system about those lists and they were later taken down, but the damage may have already been done.

"This is some of the worst type of information that you don’t want falling into the wrong hands," said David Derigiotis. "If you’re able to tie an individual’s name with their Social Security Number, which really is the crown jewel for identity in terms of taking loans, taking out credit, whatever it may be, under somebody’s name, that’s it."

Derigiotis is a cyber-security expert and says oftentimes in data breaches a company unintentionally shares sensitive information.

He says the retirement system for the City of Detroit or RSCD would do well to conduct a forensic analysis.

"They have to take a look at how long was this information displayed online," he said. "How many clicks, how many visitors did we have to the site? how many eyeballs were looking at it? did anybody copy and download that information? they really have to go into damage control.

FOX 2 contacted RSCD Wednesday night. Thursday morning, the RSCD said the breach affected "only 68 people" and was in a "secure portal that only employees and retirees have credentialed access to."

"Someone definitely dropped the ball," said Weldon. "How do you launch a new system and not check for things like this?"

David Derigiotis suggests putting a freeze on your credit with all of the credit bureaus, and to look at any open credit lines you have, to see if anyone has created a loan in your name - and possibly getting a fraud alert on top of it. and watch out for any unusual activity.

(UPDATE 7/28): The General Retirement System released a statement regarding the incident.

A spokesperson said that a forensic analysis concluded that Weldon was the only person to click on the information, the person responsible for the mistake was identified and "corrective action" was taken.

"No one else has clicked on the information (according to forensic analysis)," the statement said. "(There were) multiple duplicates of same individuals (on the list), many of whom are deceased."

Identity theft monitoring will be provided to the retirees, it added.