The Disberry Case and Its Immediate Aftermath
An impostor contacted the recordkeeper for Colgate-Palmolive's 401(k) plan and posed as an employee to request changes to account contact details. Months afterward, the full balance of over seven hundred and fifty thousand dollars was transferred in one payment to an address and account in Las Vegas, while the actual owner resided in South Africa.
Paula Disberry filed suit against the recordkeeper, the company's benefits committee, and the plan custodian to recover the funds. The matter reached a settlement on confidential terms, and the court issued no decision on whether the recordkeeper bore responsibility for restoring the money.
The episode illustrated how limited personal details, already available from prior breaches, could satisfy basic security checks at a call center and allow an address update without notifying the account holder through existing channels.
Additional Lawsuits and Regulatory Response
Between 2009 and 2024, at least eleven separate actions were brought under the Employee Retirement Income Security Act concerning similar incidents of unauthorized access and distributions. In February 2026 the Government Accountability Office recommended that the Department of Labor develop updated guidance on safeguarding participant data in retirement plans.
Another plaintiff, a former Abbott Laboratories employee, alleged that a hacker used the forgot-password function on the plan portal to reset credentials and initiate a payout of two hundred and forty-five thousand dollars. Comparable claims have been filed against other recordkeepers, indicating the issue is not isolated to a single provider.
The GAO cited eleven separate lawsuits filed between 2009 and 2024 under the Employee Retirement Income Security Act.
Why Standard Consumer Protections Do Not Apply
When an account takeover occurs in a 401(k), the safeguards that limit liability for credit-card fraud or unauthorized bank transfers are absent. The plan participant may bear the loss unless the recordkeeper or custodian is found to have violated fiduciary duties under ERISA, a determination that often requires litigation.
FBI data for 2025 showed that Americans aged sixty and older lost 7.7 billion dollars to internet crime, with investment fraud responsible for 3.5 billion of that total. Retirement savers represent a concentrated target because large balances can be moved after relatively simple verification steps.
Common Pathways Used by Perpetrators
Account takeovers frequently begin with information obtained from dark-web breach repositories, including names, dates of birth, partial Social Security numbers, and previously used passwords. When individuals reuse credentials across services, attackers can test the same data directly against plan portals.
In the Disberry matter the impostor bypassed the login portal altogether by calling the benefits center, supplying enough known details to pass identity verification, and requesting an address change. A temporary password was then mailed to the new contact point, completing the takeover without ever logging in under the original credentials.
Other schemes involve direct contact with the account holder. A retired lawyer lost seven hundred and forty thousand dollars after a caller claiming to be a federal investigator persuaded him to move funds himself under the belief that he was assisting an active inquiry.
Practical Steps That May Reduce Exposure
Account-change alerts function only when the recordkeeper actually transmits them. Cases have demonstrated that the absence of such notifications can allow weeks or months to pass before the legitimate owner learns of the activity.
Identity-theft monitoring services can observe activity across linked bank, credit-card, and investment accounts, providing an additional signal when unfamiliar transactions appear. Many of these services also scan dark-web sources and credit reports for signs that personal information has been exposed.
Plan participants can request details from their employer or administrator about the exact procedures that follow an address, phone, or bank-account change. Enabling any available multi-factor authentication and confirming that alerts are active for distributions remain straightforward measures that do not require additional cost.
