A single phone call and a handful of leaked personal details were all it took to wipe out nearly $752,000 from a retirement account, highlighting a dangerous vulnerability in how 401(k) plans verify identity. The case of Paula Disberry, a former employee living in South Africa, serves as a stark warning that the safeguards many savers assume are in place can be bypassed with startling ease.
The theft occurred when an impostor contacted Alight Solutions, the recordkeeper for the Colgate-Palmolive 401(k) plan, posing as Disberry. By providing basic information—the victim’s name, date of birth, mailing address, and the last four digits of her Social Security number—the fraudster successfully cleared the call center’s security check. This entry point allowed the attacker to change the account’s contact information, effectively locking the real owner out of the loop.
Months later, the entire balance of $751,430 was drained in a single lump sum and sent to a bank account and address in Las Vegas. Disberry subsequently filed a lawsuit against Alight, the Colgate benefits committee, and BNY Mellon, the plan’s custodian. While the case was eventually settled on undisclosed terms, the court did not issue a definitive ruling on whether the recordkeeper was legally obligated to restore the stolen funds.
The Anatomy of a Retirement Account Takeover
The Disberry case reveals a critical failure in “out-of-band” verification. Despite having Disberry’s correct email and phone number on file, Alight did not send an alert to those channels when the contact information was changed. Instead, the company mailed a temporary password to the new address provided by the impostor, ensuring the fraudster was the only one who could access the account.
Further complicating the theft was the failure of internal safety triggers. Disberry’s plan reportedly included a 14-day waiting period between an address change and any fund distribution—a common industry safeguard designed to give the real account holder time to spot a fraudulent change. However, her lawsuit alleged that Alight skipped this waiting period, allowing the impostor to request a full payout almost immediately.
This method of 401(k) account takeover fraud is becoming increasingly sophisticated, often relying on “dark web” data dumps. Cybercriminals harvest names, partial Social Security numbers, and birth dates from previous corporate data breaches to build profiles of their targets. Once they have enough data to fool a human operator at a call center, the technical security of the online portal becomes irrelevant.
A Growing Pattern of Systemic Vulnerability
The loss of Disberry’s life savings is not an isolated incident, but part of a broader trend of retirement theft. Heide Bartnett, a former Abbott Laboratories employee, pursued similar legal action against Alight after a hacker used the “forgot password” feature of the plan portal to reset her credentials and trigger a $245,000 distribution.
Other scams target the individual rather than the recordkeeper. In 2024, Barry Heitin, a 76-year-old retired lawyer, lost $740,000 after being convinced by a fraudster posing as a federal investigator that his accounts were under attack. In that instance, the victim was manipulated into transferring the money himself, believing he was assisting a government investigation.
The scale of the problem is reflected in broader crime statistics. According to the FBI’s Internet Crime Complaint Center (IC3), Americans aged 60 and older are primary targets for investment fraud, with losses totaling billions of dollars annually. The Government Accountability Office (GAO) has previously urged the U.S. Department of Labor to provide clearer guidance on how retirement plan participant data should be protected, citing multiple lawsuits filed under the Employee Retirement Income Security Act (ERISA).
| Victim | Amount Lost | Primary Method | Target Entity |
|---|---|---|---|
| Paula Disberry | $751,430 | Call center impersonation | Alight Solutions |
| Barry Heitin | $740,000 | Social engineering (Fake Agent) | Direct Transfer |
| Heide Bartnett | $245,000 | Portal credential reset | Alight Solutions |
The Protection Gap: Why 401(k)s Differ from Credit Cards
One of the most alarming aspects of retirement theft is the lack of consumer protections. When a credit card is used fraudulently, federal law and bank policies typically limit the cardholder’s liability and provide a streamlined process for reversing the charges. These protections generally do not apply to 401(k) account takeovers.
Because these accounts are governed by ERISA and managed by third-party recordkeepers and custodians, the burden of proof often falls on the victim to show that the financial institution was negligent. As seen in the Disberry case, the legal path to recovery is often long, expensive, and results in settlements rather than clear legal precedents that force companies to improve their security.
Hardening Your Retirement Security
Given the limited federal protections, experts recommend that savers take proactive steps to secure their accounts. While no system is foolproof, adding layers of friction can make a target less attractive to hackers.
- Enable Multi-Factor Authentication (MFA): Ensure that any login attempt requires a secondary code sent to a mobile device or generated by an app.
- Audit Account Alerts: Specifically request email and text notifications for any change to passwords, mailing addresses, or linked bank accounts.
- Confirm Distribution Holds: Ask your plan administrator in writing if there is a mandatory waiting period between a change of address and a fund distribution.
- Quarterly Statement Reviews: Checking statements every three months rather than annually can help spot unauthorized changes to contact information before a payout is triggered.
- Freeze Your Credit: A credit freeze at Equifax, Experian, and TransUnion prevents scammers from opening new lines of credit using your stolen identity.
For those concerned that their data has already been compromised, the IRS Identity Protection PIN can prevent fraudulent tax returns from being filed in their name, which is often a precursor to larger identity theft schemes.
Disclaimer: This article is for informational purposes only and does not constitute legal or financial advice. Please consult with a certified financial planner or legal professional regarding your specific retirement account security.
The push for stronger industry standards continues as regulators examine the balance between account accessibility, and security. The next major checkpoint for these protections will likely emerge from updated Department of Labor guidance on participant data security, as the industry grapples with the reality that basic identity verification is no longer enough to stop determined criminals.
Do you feel your retirement account is sufficiently protected? Share your thoughts or experiences in the comments below.
