Security Gap at TIAA-CREF Was Huge, Critics Say

Former employees accuse company of not revealing extent of client data at risk

Article tools

Printer friendly	E-mail article	Subscribe	Order reprints
	Discuss any Chronicle article in our forums
Latest Headlines 150 Campuses Win Recognition in Survey of Great Colleges to Work For More than 300 four-year and two-year colleges signed up for the second annual survey by The Chronicle, and 39 were named to a new Honor Roll for their workplace policies. New Top Republican on House Panel: Washington Doesn't Always Know Best They Thought Globally, but Now Colleges Push Online Programs Locally Jill Biden Shines Global Spotlight on U.S. Community Colleges A Town Rich in Colleges and Cows Gains a Crown College Towns as Baby Names? A Few May Resist Trendiness Commentary Kevin Carey: Stanford U., Duke U., Rice U., ... and Gates U.?

By ANDREA L. FOSTER

Sonia Radencovich did not raise any particular interest at TIAA-CREF when she began a temporary job at the giant pension company in September 2004 to help upgrade software that counselors there use to advise clients.

But two months later, company officials discovered that she was really a convict named Sonia Howe. She had just been sentenced to four years in prison for helping her lover, Martin Frankel, loot insurance companies of more than $202-million in a fraud scheme. The federal Securities and Exchange Commission had banned her from ever working again for a securities broker or dealer. Her sentencing, in U.S. District Court in New Haven, had taken place just 11 days before she started her job as a consultant at the Teachers Insurance and Annuity Association-College Retirement Equities Fund, and she had three months of freedom, on bail, before her prison term began.

Once Ms. Howe was unmasked, company officials escorted her from TIAA-CREF's office in Charlotte, N.C., and went into crisis mode. They quickly began an investigation to determine what data she had access to during her seven weeks of employment, for which she was given a log-in to a company development system. The officials also checked whether she had removed company data using a laptop that she often brought to the office.

TIAA-CREF officially determined that Ms. Howe had had access to data on fewer than 100 participants — primarily from the Purdue University system — because, they said, those were the only unscrambled records she used in her job testing computer applications. (That it was college employees who were affected is no coincidence; the company has 70 percent of the higher-education market, and 65 percent of its clients work or have worked for colleges.) Since that breach, TIAA-CREF has revamped its security procedures. And although the company acknowledges that Ms. Howe did download confidential data to her laptop, there is no evidence that she used the information for illegal purposes, such as identity theft.

But former company employees have told The Chronicle that TIAA-CREF is hiding from its clients the extent of the confidential data that Ms. Howe may have seen — and possibly walked away with. In the wake of her departure, two of her supervisors say, they were fired for reporting data-security problems to company officials.

One of those supervisors, Christopher O'Keefe, has filed a whistle-blower complaint against the company. He claims that Ms. Howe's network privileges gave her access to all 3.2 million of TIAA-CREF's clients, since all of the live data were available through test programs and databases at the time she was employed.

Stephanie Cohen Glass, a TIAA-CREF spokeswoman, denies that Ms. Howe was able to view information on all of the company's clients, and says Mr. O'Keefe was fired for lax management of Ms. Howe. But Mr. O'Keefe's assertion is backed by four other former managers at the company who spoke to The Chronicle. If true, that means Ms. Howe's employment at the company represented a far greater potential security breach than TIAA-CREF has let on.

The truth of the matter may come out only at trial. An administrative-law judge in the U.S. Department of Labor is expected to examine evidence presented from both sides at a hearing, probably this fall, and issue a decision next year.

A Once-Celebrated Employee

TIAA-CREF fired Mr. O'Keefe in February 2005, about three months after Ms. Howe's departure. He alleges that he was dismissed for his honesty about the level of Ms. Howe's access to the organization's data during the internal investigation, and because TIAA-CREF chose to make him a scapegoat.

Mr. O'Keefe's complaint, filed with the Occupational Safety and Health Administration in April 2005, demands lost income and other restitution from TIAA-CREF. His lawyer, Darryll W. Bolduc, says Mr. O'Keefe deserves close to $1-million.

The complaint argues that TIAA-CREF violated a part of the Sarbanes-Oxley Act of 2002 that requires certain kinds of companies to disclose problems affecting their financial statements — in this case, failing to safeguard data — and that TIAA-CREF fired him for bringing that failure to its attention.

Another of the law's provisions makes it a crime for companies to retaliate against employees who speak out about their employers' violations of Sarbanes-Oxley.

"When I understood that some disciplinary action was being taken against me, I kind of figured out what was going on," Mr. O'Keefe told The Chronicle. "I was the one guy who was saying something different than what they wanted to put out."

TIAA-CREF seemed to cast doubt on its own claims that Ms. Howe had only the most limited computer access when it circulated a memo among employees in April 2005 stating that Ms. Howe "potentially had access to more records."

Before his dismissal, Mr. O'Keefe says he had consistently received high marks during his 13 years at TIAA-CREF. He won an award for exceptional service in 2001, an honor that earned him a $1,000 bonus and a group lunch with John H. Biggs, the company's chairman at the time.

TIAA-CREF has declined to comment on Mr. O'Keefe's performance as an employee, but former colleagues contacted by The Chronicle say Mr. O'Keefe was respected and a stickler for thorough work.

Mr. O'Keefe says TIAA-CREF originally told him he was fired for failing to cooperate in the company's investigation of Ms. Howe.

Ms. Cohen Glass provided various reasons for Mr. O'Keefe's dismissal.

She first said that he had been dismissed for failing to adequately supervise Ms. Howe, because he allowed her to gain access to client data and did not stop her from bringing her laptop into the office. Ms. Cohen Glass declined to describe how Mr. O'Keefe had failed to supervise Ms. Howe.

Then, in an e-mail interview, Ms. Cohen Glass wrote that Mr. O'Keefe had also been uncooperative "because he did not provide truthful, complete answers to questions posed by the investigative team" that was looking into Ms. Howe's effect on TIAA-CREF.

Last week, as this article was going to press, Ms. Cohen Glass told The Chronicle that a computer-forensics examiner had determined that Mr. O'Keefe had viewed pornographic Web sites and downloaded the images to a company laptop that TIAA-CREF recovered from him last month. She accused him of "destroying evidence" by removing those and other files from the laptop.

Viewing pornography on a company computer would be reason enough for TIAA-CREF to fire an employee, she said.

But Mr. O'Keefe strongly denied that he had viewed pornographic Web sites on the machine, and said the laptop had been used by others at the company besides him.

And Mr. Bolduc, his lawyer, said a TIAA-CREF lawyer who told him about the pornography charges two weeks ago offered to settle the case for $150,000, an offer that Mr. O'Keefe rejected. TIAA-CREF declined to comment on the alleged offer.

Company Files Transferred

According to court documents filed by TIAA-CREF, on six days in November 2004 Ms. Howe brought a Dell laptop with her into work. She took it with her when she left her employment at the company. After her departure from TIAA-CREF, she agreed to let a computer-forensics examiner hired by the company look at her laptop for 20 minutes. The examiner, John E. Jorgensen, determined that she had used two USB data drives to transfer files from a company computer to her laptop. What kind of data she transferred is unclear. She refused to let the examiner make a copy of her computer's hard drive or to open files, but she allowed him to see the types of files she had created.

He concluded that she had created files typically used to build Web sites.

Even so, TIAA-CREF was worried enough that it sued Ms. Howe to recover her laptop and USB drives. That case was settled out of court.

As part of the settlement, TIAA-CREF made "forensic copies" of the contents of Ms. Howe's laptop and USB device and determined that she had only data "necessary for her to do the tasks assigned while at the company," Ms. Cohen Glass said in an e-mail interview.

Ms. Howe did not respond to the Chronicle's inquiries. A lawyer who has represented her, Stephen V. Manning, of Hartford, Conn., declined to comment on the case. TIAA-CREF's lawyer in the case, Eric D. Welsh, also declined to comment.

After Ms. Howe's brief presence at TIAA-CREF was first reported by Newsweek, in April 2005, the pension company posted a message on its Web site reassuring clients that it had confiscated and searched Ms. Howe's laptop. The word "laptop" was later changed to "desktop," according to snapshots of the Web site provided by Mr. Bolduc.

The Newsweek article also prompted TIAA-CREF to distribute to its employees a message, a copy of which was obtained by The Chronicle. They were told not to circulate it outside the company. "Although the Newsweek story is generally critical, it notes that fewer than 100 records were affected," the alert reads in part. "Moreover, while the contract worker potentially had access to more records, there is no evidence that any information was used improperly."

Mr. O'Keefe said he did not know that Ms. Howe was bringing her laptop into work.

Former TIAA-CREF employees who spoke to The Chronicle — some on the condition that they remain anonymous — said it was common for workers to bring their own laptops to work. The company banned the practice only after Ms. Howe left TIAA-CREF, they said.

Ms. Cohen Glass said in the e-mail interview that "TIAA policy has always been that company work should be done on company-issued computers."

Nonetheless, David Spector, who was Mr. O'Keefe's supervisor at the time and was dismissed from TIAA-CREF in November 2005, nine months after Mr. O'Keefe left the company, said, "I don't even know if I would have thought twice about someone bringing in their own laptop to work."

"That certainly wasn't a rule that I would have said was well known," he said.

Scope of Vulnerability

Because Ms. Howe left the company before TIAA-CREF examined her laptop, how much client information, if any, she has in her possession may never be known. Nor, for the time being, is it known who has her laptop.

But other former employees agree with Mr. O'Keefe that information-technology consultants, like Ms. Howe, typically had access to data on all TIAA-CREF participants.

"Everyone had access to everything," said Mr. Spector.

Mr. O'Keefe had acted professionally in his handling of Ms. Howe, said Mr. Spector, who added that he was baffled by TIAA-CREF's decision to fire Mr. O'Keefe, and that he had not been consulted about it. "I was given no explanation as to why they would let him go," he said.

"He did do an adequate job in supervising her," Mr. Spector said. "And then once he found out she was a felon, he did a good job in identifying how much impact she might have had. They didn't seem to like that."

Mr. Spector believes that he himself was dismissed from TIAA-CREF because he reported data-security violations to his superiors. But he declined to elaborate, citing a severance package he received in return for a signed agreement to keep silent about his experience at TIAA-CREF. He did say that company officials told him he had been a great employee.

Mr. O'Keefe said he had cooperated fully with company officials investigating what data Ms. Howe saw. He said they even asked him to describe the types of crimes someone could commit with the information. In documents filed with his suit, Mr. O'Keefe said he had told officials that Ms. Howe might be able to set up a new account and make financial transactions online with a participant's Social Security number, birthday, and policy number.

It was because of his advice, he said, that on November 24, 2004, TIAA-CREF closed down its Web site, temporarily blocking clients from gaining electronic access to their accounts. The move was intended to prevent Ms. Howe from performing financial transactions online using participants' account information, he said.

Ms. Cohen Glass, of TIAA-CREF, confirmed that concern over Ms. Howe had prompted the company to take the action, but she denied that it was at Mr. O'Keefe's request.

Mr. O'Keefe said he had advised TIAA-CREF officials to stop their practice of testing systems using actual names and Social Security numbers of plan participants. If Ms. Howe had seen only phony or encrypted data, for example, TIAA-CREF would have had nothing to worry about.

"They didn't encrypt Social Security numbers," said Mr. O'Keefe. "They used everybody's information. And then they allowed people to come in, a lot of consultants and stuff, and pretty much have at it."

Ms. Cohen Glass acknowledged during the e-mail interview that when Ms. Howe was working at TIAA-CREF, "our scrambling was not sufficient, and we have since taken further steps to encrypt our data in the test environment."

In addition, Mr. O'Keefe said, he told TIAA-CREF that it needed to establish a policy for determining the level of access given to new employees. He said the company typically just reassigned the identification number of a former employee to a newcomer with similar responsibilities, without determining whether the computer access granted to the newcomer was appropriate. That is what the company did in Ms. Howe's case, he said.

TIAA-CREF says otherwise. "Mr. O'Keefe was responsible for determining her access rights," Ms. Cohen Glass wrote in an e-mail message, referring to Ms. Howe. "If he chose to do it by duplicating previous access rights he had given, then that was his managerial decision."

Since Ms. Howe left the company, TIAA-CREF has stepped up data security, said Mr. O'Keefe. It created an information-security department, began encrypting confidential data, and established a policy for controlling employee access to those data.

"Of course they deny my participation in any of those things," said Mr. O'Keefe.

Ms. Cohen Glass wrote that TIAA-CREF created an information-security organization in October 2003, before Ms. Howe began working for the company. The spokeswoman added that the company "had policies regarding encrypting confidential data and controlling employee access" before Ms. Howe's arrival at TIAA-CREF.

But Ms. Cohen Glass acknowledged that the company tightened its authentication requirements for customers doing financial transactions online after Ms. Howe left. "Until we were able to determine the scope of the issue," Ms. Cohen Glass said, "it was important that we made sure that there was no improper authorization of transactions." She said the company had contacted the roughly 100 clients whose data it determined Ms. Howe had seen, and advised them to place an alert on their credit reports.

TIAA-CREF also changed its procedures for evaluating job candidates. TEKsystems, a technology-staffing company, had recommended that TIAA-CREF consider hiring Ms. Howe, among other job applicants.

TEKsystems had hired Kroll Background America Inc. to run a background check on Sonia Dix Radencovich, the name Ms. Howe had provided. Kroll's search of court records in counties where Ms. Howe lived for the previous seven years turned up nothing criminal on the name, according to a Kroll spokeswoman.

TIAA-CREF said it has now hired its own employment-screening firm to do more-comprehensive background checks on consultants and prospective employees.

New Law for Whistle-Blowers

Mr. O'Keefe faces an uphill battle in his complaint. First he has to establish that TIAA-CREF must abide by the Sarbanes-Oxley Act. In general the law, which was adopted after a wave of corporate accounting scandals, requires publicly traded companies to follow certain financial-reporting and governance measures.

But TIAA-CREF argues that only CREF, the company's investment arm, has to abide by Sarbanes-Oxley, and not TIAA, the company's insurance arm, for which Mr. O'Keefe worked. TIAA is not a public company. And the company has denied all of Mr. O'Keefe's allegations in his whistle-blower complaint.

Mr. Bolduc, the plaintiff's lawyer, said TIAA-CREF was attempting to exploit a technicality to evade responsibility. All TIAA employees perform work for CREF as well, he said: "For all intents and purposes," the two entities "act as one company." When the company sends a memo to its employees, they are addressed as TIAA-CREF employees, he noted, and all employees, not just those in CREF, are encouraged to report Sarbanes-Oxley violations to a whistle-blower hotline.

The lawsuit nearly died in June 2005, when a regional director of the Occupational Safety and Health Administration ruled that Sarbanes-Oxley does not apply to TIAA employees. But Mr. O'Keefe appealed that decision to the Department of Labor, and an administrative-law judge allowed the complaint to move forward.

Judge Daniel A. Sarno Jr. wrote that it was an open question whether TIAA is covered by Sarbanes-Oxley. He said the evidence that Mr. O'Keefe has submitted showed that the affairs of TIAA and CREF were indeed commingled.

"TIAA-CREF holds itself out to its employees, customers, and to the public as a single entity," he wrote in a decision last October. "TIAA-CREF has a CEO and CFO, and the Board of Overseers of TIAA and CREF are composed of the same individuals. TIAA and CREF also share officers and managers, some of whom allegedly participated in the investigation that led to complainant's termination."

Mr. Sarno is scheduled to listen to arguments from both sides during a several-day hearing that is likely to begin in the fall, in his office in Newport News, Va. The judge will consider whether TIAA-CREF is subject to Sarbanes-Oxley and if so, determine whether or not the company retaliated against Mr. O'Keefe.

Mark Rasch, senior vice president and chief security counsel for Solutionary Inc., an information-technology-security company in Omaha, said more information-technology employees, like Mr. O'Keefe, are using Sarbanes-Oxley to press their organizations into additional spending on computer systems and on beefing up data security.

And while he would not comment on the merits of Mr. O'Keefe's complaint, he said, "It's not uncommon when there's a major security incident or breach for an organization to search for a scapegoat."

Apart from alleged Sarbanes-Oxley violations, argued Mr. Bolduc, TIAA-CREF may have violated a 2003 California privacy-protection law that requires organizations doing business in the state to notify their California clients if their personal information is compromised.

Mr. O'Keefe said he just wants his good name back. Now working for another financial-services company, he said TIAA-CREF had damaged his reputation.

But he has no harsh words for Ms. Howe, the convict who eventually caused him to lose his job. In January 2005, two months after she left TIAA-CREF, she reported to federal prison in Alderson, W.Va. (Martha Stewart's former place of confinement), where she is scheduled to serve time until June 2008.

"She had some good technical skills," Mr. O'Keefe said of Ms. Howe. Before he found out about her criminal past, he considered asking her to work at TIAA-CREF permanently, he said. "She was that good."