On June 27, 2018, the State of Connecticut Treasurer’s Office announced that about $1.4 million had been stolen from Connecticut Higher Education Trust (CHET) college-savings accounts. This theft resulted from data security breaches that occurred in early June, 2018.

Connecticut State Treasurer Denise L. Nappier confirmed that TIAA-CREF Tuition Financing Inc. (TIAA-CREF), the CHET Direct program manager, disclosed that 44 unauthorized withdrawals, totaling $1,416,635, had been made from 21 CHET accounts. State and federal agencies are conducting a coordinated investigation into the data security breach.

CHET account data and online systems are housed at and maintained by TIAA-CREF and its third-party service providers. TIAA-CREF has agreed to fully restore all affected CHET accounts and provide two years of identity fraud protection and identity restoration services, as well as $1 million in identity theft insurance coverage for the affected customers. TIAA-CREF reported that $442,540 of the unauthorized withdrawals had been recovered so far. Given that less than .01 percent of the CHET accounts were affected, the CHET security breach illustrates how significant financial losses can occur even when a cyber-attack affects only a tiny fraction of customer accounts.

Treasurer Nappier stated that this data security breach was the “first time that we are aware of fraudulent account activity in CHET’s 20+ year history.” The length of time that passed before CHET experienced its first security data breach underscores the importance of data security protection procedures and shows that a past history of zero cyber-attacks does not eliminate the risk of financial losses from future cyber-attacks.

This article co-authored with guest blogger Samuel C. Maduabueke, a Robinson+Cole summer associate and student at the University Of Connecticut School of Law.