The Oklahoma Law Enforcement Retirement System (OLERS) posted an announcement online about the investigation Thursday, 10 days after the money went missing.
"We are certain the stolen funds will be recovered," the state agency said. "Most importantly, no pension benefits to members or beneficiaries have been impacted or put at risk. All benefits will continue to be paid in a timely fashion as always."
The state agency made the announcement only after being contacted by The Oklahoman about the cybercrime.
"The total diversion was $4.2 million," OLERS executive director, Duane A. Michael, told The Oklahoman on Thursday. "Of that, we've recovered $477,000."
The system has almost 1,500 retirees and more than $1 billion in funds. It is separate from the larger Oklahoma Police Pension and Retirement System.
The executive director said the illegal diversion took place Aug. 26 after one employee's email account was hacked. He said the unknown thief or thieves then stole funds being managed by an investment manager on behalf of OLERS.
"Upon learning of the cybersecurity breach and theft, we took immediate action to terminate the email account and verify that no other cyberbreaches had occurred and no other funds had been stolen. We also notified the FBI," he said.
Michael would not identify the OLERS employee whose email account was hacked. He said the employee was not fired. He said employees are getting training to prevent a cybersecurity breach from happening again.
"It happens every day," the agency's longtime president, Roy Rogers, said of cybercrime. "It can happen to an individual. It can happen to a state. It can happen to a company. ... This kind of crime has just got rampant."
Rogers, a retired trooper, predicted the FBI will recover more of the funds because OLERS employees moved so quickly to get that help. Rogers said OLERS has insurance coverage to make up the loss "if push comes to shove."
"Hopefully, the transferring party, surely they've got some coverage, too," Rogers said. "We'll be made whole on this deal."
OLERS uses an email system run by the state Office of Management and Enterprise Services. A spokesman for that state agency said it would have no comment on the cybersecurity breach because the investigation is ongoing.
The FBI also declined comment.
Gov. Kevin Stitt has made cybersecurity an emphasis of his administration. In January, he tapped the state's longtime cybersecurity expert to be the new director of the Oklahoma Department of Emergency Management.
"The Stitt administration is continuing to work to unify all state agencies in a single cybersecurity program," the governor's spokeswoman, Donelle Harder, said Thursday.
©2019 The Oklahoman. Distributed by Tribune Content Agency, LLC.
