Is your TSP account secure?

From: Federal Times

By STEPHEN LOSEY

Retired U.S. Postal Service clerk Rosalyn Linker received a rude surprise in the mail May 29: a letter telling her that she was one of 123,201 Thrift Savings Plan participants whose Social Security numbers and other personal information had been stolen in a sophisticated cyber attack.

Last July.

That 10-month delay between when a Virginia TSP data center operated by Serco Inc. was hacked by unknown individuals, and when the victims were told has angered many TSP participants — and at least one leading lawmaker, Sen. Susan Collins, R-Maine.

“I am past furious,” Linker said in an interview with Federal Times. “I know computers get hacked — the Pentagon has been hacked. I don’t care that TSP got hacked, I care that it took us 10 months to find out. Who knows what someone’s been doing with my Social Security number for 10 months?”

The Federal Retirement Thrift Investment Board, which manages the TSP, says there is no indication the stolen data — which includes some victims’ routing numbers, TSP account numbers and addresses — has been misused so far. But it is offering victims one year of free credit monitoring to safeguard against any misuse.

But for Linker and other hacking victims, their faith in the TSP is shaken, and the incident is causing them to reconsider whether they want to leave their money with the plan.

“They’re saying we don’t know for sure if your information has been misused, but we still don’t know what happened,” said Carolyn, a hacking victim who asked that her last name not be published. “I really don’t know what to believe. Who’s to say there hasn’t been” a misuse of personal information that hasn’t yet been detected?

TSP said the names and Social Security numbers of 123,201 participants were stolen. Some of those participants also had their TSP account numbers, bank account routing numbers and other information stolen.

TSP is only advising affected participants to sign up for the credit monitoring service. It is not recommending affected members take other actions since it believes no information has been improperly used.

And the number of questions remaining about the hacking — the first in the TSP’s 25-year history — far outweighs what is so far known. Still unknown, for example, is:

• When and how the FBI learned of the hacking.

• Who hacked the computer and why.

• Whether the hackers plan to commit fraud with the information they gathered.

• And whether the criminals will be brought to justice.

Serco spokesman Alan Hill said that at the time of the hacking, a desktop computer at the data center was storing a subset of the 4.5 million account records for federal employees, service members and beneficiaries who are enrolled in TSP while Serco tested system enhancements.

The computer was not connected to the TSP network and did not have access to the other millions of account records. But it was connected to the Internet at some point, Hill said. Serco, which also holds contracts with the Defense Department and other agencies, said no other government data was at risk.

Hill said Serco believes the hackers behind the attack were not motivated by monetary gain or to conduct identity theft because no data has been misused since the July hacking.

FRTIB external affairs director Kim Weaver said the board and Serco did not know about the attack until the FBI told them about it on April 11 — nine months after the attack. The infected computer was immediately shut down, and TSP and Serco began reviewing and enhancing their systems’ security.

Weaver said the data the FBI provided in April was unreadable at first, and that it took five weeks to clean it up and figure out exactly what and whose information had been compromised.

“We had some data that was just strings of numbers,” Weaver said. “You couldn’t tell what was a Social Security number, what was the day of the month, what was a payment amount. So it took quite a bit of time to get the data into a format where we could figure out the information.”

When asked why TSP did not tell participants about the breach right away, before it had figured out who was affected, Weaver said, “That would be a nice way to scare … 4 million people.”

“It was not a good thing, and we’re not happy about it,” Weaver said. “But it’s 2 percent of our population [that was affected]. To scare all of them would not be a smart move, in our estimation.”

The board mailed letters to affected participants May 25, the same day it announced the hacking publicly and informed Congress.

Collins, the ranking Republican on the Senate Homeland Security and Governmental Affairs Committee, on May 29 sent letters to the FBI and the thrift board asking why it took so long to report the attack.

Collins asked FBI Director Robert Mueller when the FBI learned about the attack and how it was discovered, why it delayed reporting the attack to the board, and why it did not tell Congress about the attack in April.

In a second letter, to FRTIB Executive Director Greg Long, Collins asked why the board did not tell Congress about the breach earlier.

“Until we had answers, we weren’t sure what we would be telling” Congress, Weaver said. “Telling someone that there is a data breach isn’t helpful” without more information.

FBI spokeswoman Jacqueline Maguire refused to tell Federal Times when it found out about the attack, or why it took nine months to notify TSP officials and Serco, because the investigation is ongoing.

Office of Management and Budget guidance documents suggest, but do not require, that agencies notify Congress of breaches, according to a Republican Senate aide.

Contractors must meet the same security requirements as federal agencies under the Federal Information Systems Management Act, but agencies are responsible for ensuring that contractors meet those standards, the aide said. Some agencies do a better job of this than others.

Weaver said TSP employees are working to address participants’ concerns. TSP’s computer security staffers are working on cybersecurity issues, and employees who deal with customers are making sure call centers are fully staffed and questions are being answered.

Serco has six contracts with FRTIB, including a $33 million contract to maintain the information technology components of the TSP record-keeping system, such as web design, software development and systems testing. The one-year contract ends this fiscal year.

Serco also operates a call center on behalf of the board, and administers accounting, death benefits and other payments.

Weaver said FRTIB has not decided whether to continue or end its contract with Serco come Oct. 1.

But some hacking victims say TSP should cut its ties with Serco.

“The contractor should be fired,” Linker said. “We trusted TSP, TSP trusted this company. They’re both at fault. I hope Senator Collins nails somebody to the wall.”

Weaver said the board is concerned about losing participants’ trust over this incident.

“We take our position in people’s retirement very seriously,” Weaver said. “We know this is something that will cause people concern, and we want to do everything to get them to retain their confidence.”

But for some, it may be too late.

“I’m disappointed,” said one retiree’s wife, who asked to not be named. “I kind of feel the government let us down quite a bit. You just feel kind of used and left out.”

Facebooktwittergoogle_plusredditpinterestlinkedinmail

3 responses to “Is your TSP account secure?”

  1. Vikarm says:

    TC lottery recharge

  2. Savaan says:

    Please give free recharge hack I m from middle class family please plz

  3. Savaan says:

    This website is proudful

Leave a Reply

Your email address will not be published.

Please Answer: *