Cyber thieves steal $3.5 million in Quincy pension fund hack

The email phishing scam targeted city employees’ retirement funds.

Cyber thieves hacked the city of Quincy’s employee pension fund and made off with $3.5 million in an email phishing scam, according to local reports.

The hack reportedly happened a year ago but is just now coming to light. According to The Patriot Ledger, John Parsons, executive director of the Public Employee Retirement Administration Commission, said the transaction was “the result of human error and a breakdown of security controls.”

An investment manager for the Quincy Retirement Board reportedly got an email from a former employee’s board account, which had been hacked, asking for a $3.5 million wire transfer. The manager then followed the fraudulent email’s instructions, according to the Ledger’s report.


The stolen money was meant for 3,000 city employees’ pensions — funds were slated to go to current workers as well as retirees and the surviving family members of deceased employees. 

Though the hack happened in February 2021, the board didn’t discover the transfer until months later, then reported it in October 2021. The commission is now investigating the board.

WCVB quoted a lawyer for the board, who said an unauthorized user compromised the city’s email system by posing as a board staff member. The thief then “persuaded one of the Board’s investment managers to transfer $3.5 million to a third-party bank with which the Board did not have an account,” according to the report.

The theft happened amid warnings of increasing cyber hacks on retirement funds. Parsons told the Ledger the investigation will take months to complete, and a public report will be issued on the findings. 

Quincy officials told WCVB that there’s no threat of members of the retirement system not getting paid. The system has hundreds of millions in assets and the annual payments represent just a small fraction, the report said. 


This discussion has ended. Please join elsewhere on Boston.com