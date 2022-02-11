By SCOTT JACKSON

The city of Quincy’s employee retirement fund lost more than $3.5 million last year as a result of a phishing scam.

The state’s Public Employee Retirement Administration Commission, which regulates public employee pension funds in Massachusetts, in October issued a memo to retirement boards warning them to be on the lookout for a “phishing scheme involving the transfer of assets from board investment accounts.”

“PERAC has become aware that one of the retirement boards was the victim of a fraudulent transfer of assets, after a former employee’s board email account was hacked and then used to initiate a transfer of funds into a non-board account,” John Parsons, PERAC’s executive director, wrote in the October memo.

“We will be working with all parties involved to address this situation and will transmit further information as warranted,” Parsons added later in the memo.

In a phone interview Friday, Mayor Thomas Koch said he was not privy to the investments of the Quincy Retirement Board – the board operates completely independent of the city – but confirmed it had been the victim of the cyberattack. The mayor said the city’s pensioners were not in danger of missing out on payments because of it.

“I want to let our pensioners know that their payments are not in jeopardy at all,” he said.

The investigation into the hack is ongoing, Koch said, and he is looking forward to reading the final report once it is complete.

“We read about this stuff all time in the world today,” the mayor said, adding that the board has since taken steps to ensure what happened, “should never happen again.”

“There could be some recourse for the third parties the board deals with,” Koch added.

The Quincy Retirement Board is comprised of five members: two members elected by the city’s retirees, a mayoral appointee, the city auditor, and one member chosen by the other four. The board employs four staff members.

While the hack occurred in February 2021, the theft of the $3.5 million was not initially disclosed by the city in its prospectus for the sale of $475 million in pension obligation bonds later last year. The information was added to the prospectus after PERAC contacted the city about the disclosure.

Koch on Friday said the information was not purposely left out of the prospectus.

“The city was doing that (prospectus), and it probably never crossed their mind (to include it) because it is a separate entity,” he said.

The disclosure, Koch added, had no impact on the sale of the pension obligation bonds.

The funds Quincy borrowed using the pension obligation bonds are not managed by the Quincy Retirement Board. Rather, those funds were invested in the Massachusetts Pension Reserves Investment Management (PRIM) Board’s Pension Reserves Investment Trust (PRIT). The PRIT contains more than $90 billion in assets and its other clients include Massachusetts state employees, the Massachusetts Teachers’ Retirement System, and the Boston Teachers’ Union.

News of the theft of the $3.5 million was reported one week after the city of Quincy’s network and servers were the victim of a separate cyberattack.

That cyberattack, which the city’s IT Department identified on Feb. 4, was “different and more sophisticated” than the usual cyberattacks the city sees that involve email phishing scams where someone has to open a suspect email attachment that then allows access to the city’s network, according to Chris Walker, Koch’s chief of staff. During last week’s cyberattack, Walker said hackers directly broke into the city’s network.

Ransomware – text files that demanded money in exchange for the safe return of data – was discovered during the initial investigation into last week’s hack, Walker said. As of Monday, he said it was unknown if the hackers behind last week’s attack had obtained any actual data.

The city, Walker added, does not maintain any identity information from the public on its servers.

Members of the Koch administration are scheduled to provide an update on last week’s cyberattack at the Monday, Feb. 14 meeting of the Quincy City Council. That meeting will begin at 6:30 p.m. and will be conducted via Zoom. It will also air live on QATV.

The Zoom ID for the meeting is 889 8816 0282 and the passcode is 000066. Those wishing to listen to the meeting on their phones can do so by calling 929-436-2866 and entering the same meeting ID and passcode.