When Heide Bartnett went to the mailbox in January 2019 and opened up her 401(k) statement, she expected to see a robust balance accrued after 10 years as a nutritional products saleswoman with Abbott Laboratories.
Instead, the retiree from Darien said she saw lines of zeros and an unauthorized $245,000 withdrawal. Bartnett’s primary retirement savings had been nearly drained, she said.
“I was just in complete shock when I got the notice in the mail,” said Bartnett, 59. “I was very surprised and all I thought is this must be a mistake — this can’t be.”
Set up through employers and often administered by a third party, 401(k) savings accounts are generally seen as a hands-off investment, carrying a penalty for early withdrawal before the age of 591/2 and the expectation of a big payoff upon retirement.
While most people think of their 401(k) plans as safely tucked away for retirement, experts say the accounts may be particularly vulnerable to cyberfraud.
Bartnett, who left Abbott in 2012 and retired from another medical sales job in October, has been trying for more than a year to get the north suburban medical products giant to restore her 401(k) account, which she alleges was the target of such a fraud.
Earlier this month, she filed a federal lawsuit in Chicago against Abbott and Alight Solutions, a Lincolnshire-based employee benefits administrator, alleging they failed to protect her retirement savings plan and seeking to recover the $245,000 plus damages.
Bartnett alleges an unknown user accessed her account online, changed the password and initiated a transfer to a new bank account, after getting additional personal information from Alight customer service representatives over the phone, according to the complaint.
Abbott and Alight declined to comment on Bartnett’s lawsuit.
While Bartnett’s lawsuit is focused on a single alleged victim, the problem of 401(k) cyberfraud is widespread, experts say.
“Not only Alight, but all 401(k) record-keepers are under siege,” said Jay Schmitt, principal at Strategic Benefits Advisors, an Atlanta-based employee benefits consulting firm.
Alight, the nation’s largest employee benefits administrator, is under federal investigation for allegedly processing unauthorized retirement plan distributions made through cybersecurity breaches.
Formerly part of Aon Hewitt, the human resources outsourcing business was acquired by private equity firm Blackstone for about $4.8. billion in May 2017. The name was changed to Alight Solutions the following month.
Alight provides employee benefits administration for more than 3,250 corporate clients and has 15,000 employees in 29 countries, including about 1,700 in Illinois.
On Monday, the U.S. Department of Labor filed a petition in Chicago federal court seeking to compel Alight to turn over documents in the investigation launched last July.
“We have been working with the DOL (Department of Labor) to better understand their request, but their specific asks and intent remain broad and unclear,” Alight spokeswoman MacKenzie Lucas said in an email. “We will continue to work with them to provide necessary information while protecting the privacy of our clients and their people.”
The investigation alleges that Alight failed to disclose cybersecurity breaches and unauthorized distributions to its clients “for months, if at all,” and “repeatedly failed to restore the unauthorized amounts” to the accounts, according to court documents filed by the Labor Department.
Scott Allen, a Labor Department spokesman, declined to comment on the federal investigation.
In March, Alight reached a settlement in a case brought last year in California federal court by Naomi Berman, a former Estee Lauder employee, who alleged three unauthorized distributions in 2016 took $99,000 from her 401(k) account adminstered by Alight.
Terms of the settlement were not disclosed. Alight’s Lucas and an attorney for Berman declined to comment on the case. Allen would not say whether either of the two lawsuits were part of the Labor Department investigation.
Benefits adviser Schmitt said the hands-off nature of 401(k) plans for many investors makes them an attractive target for cybercriminals, who are drawn to the large pool of assets and relative lack of daily attention.
“People use a 401(k) as a put it in there and leave it, but you’ve still got to be vigilant about your security — changing passwords every so often,” Schmitt said. “If you take precautions, it minimizes the chance that this going to happen.”
Schmitt said enabling two-factor-authentication, where a separate code is required from a smartphone or email to access the 401(k) online account, would help thwart such fraud.
In her lawsuit, Bartnett alleges Abbott and Alight ignored basic security protocols in their interactions with the fraudster, from failing to enforce a security question routine to giving out her complete home address over the phone.
Bartnett never shared her password and had requested she be notified by email of any changes to her account, the lawsuit alleges.
“They didn’t do what they were supposed to do,” said Todd Rowden, a Chicago attorney representing Bartnett in the lawsuit. “They sent her notice of this stuff by mail and by the time she opened the mail and looked at it, it was too late.”
Bartnett had about $362,511 in her 401(k) plan at the end of 2018. By the next month, $245,000 — two-thirds of her retirement account — was gone.
“I felt like we did everything right,” Bartnett said. “Obviously, you can’t go in and look at your accounts every day. You can do so much checking to follow up on things. But this was so out of the blue — there were no warning signs along the way. It’s in the account one day and transferred out another day.”
The fraudster, whose IP address was registered to a user in India, changed the password and added a new bank account to Bartnett’s online profile in late December 2018, the lawsuit alleges.
But the impostor was unable to complete the distribution until calling the Abbott benefits center, staffed by Alight customer service reps, several times pretending to be Bartnett, the lawsuit alleges.
Bartnett has recovered $48,991 in taxes withheld from the fraudulent withdrawal and $59,494 from the SunTrust Bank account created by the fraudster, according to the complaint. But the lawsuit seeks the full balance, plus damages, including any lost income and expenses associated with the lawsuit.
Bartnett’s husband, Thomas, is trying to sell his DeKalb dry cleaning business so the couple can retire together and move someplace warmer, she said. Getting her retirement savings restored will be a prerequisite for such a move.
The depletion of her retirement account kept Bartnett in the workforce longer than she planned, and has given her second thoughts about the decision to retire for good in October, she said.
“This is always weighing on my mind,” she said. “Sometimes I still think maybe I need to go back to work again, to try to make up some of the money.”
