In a costly cybersecurity breach, the Government of Guam Retirement Fund lost over $309,000 after a hacker successfully gained access through a phishing email. According to a newly released report by the Office of Public Accountability, a fund employee unknowingly responded to the fraudulent message during Fiscal Year 2024, giving hackers access to the fund’s login credentials. 

While the original amount taken was $378,000, the fund was able to recover about $69,000 after alerting its bank and local and federal authorities. Investigators say the suspicious transactions happened outside normal business hours, even on weekends, raising questions about oversight and prompting auditors Burger & Comer to recommend stronger security protocols, including not storing login data on computers.

Despite the breach, auditors still gave the fund a clean bill of health on its financial statements, marking the 19th consecutive year without material weaknesses in internal controls.

Financially, the Fund ended the year strong with a $507 million jump in net position, driven largely by investment gains. But the audit made clear: even strong returns can't shield the fund from cyber threats without swift and vigilant oversight.