Senator asks for details in Thrift Savings breach
A key senator asked the Thrift Savings Plan for more details Tuesday on the data security breach that resulted in the disclosure of the Social Security numbers and other information of more than 123,000 federal employees and other TSP account holders.
The request from Sen. Susan Collins of Maine, the ranking Republican on the Senate Homeland Security and Governmental Affairs Committee, which oversees the TSP, came as affected account holders are receiving notification letters that the 401(k)-style retirement savings program began mailing Friday.
The TSP disclosed last week that the Social Security numbers of 123,201 participants had been stolen, out of the 4.5 million federal employees and uniformed services personnel and retirees who have accounts. About one-third of those affected also had names and addresses stolen in the cyber-attack, and in some of those cases, additional information, including financial account numbers and routing numbers, was taken. The other two-thirds lost some TSP-related information in addition to their Social Security numbers.
Collins’s letter reflects concerns raised by many employees since the announcement regarding the sequence of events. Although the breach occurred in July, the FBI did not notify the affected contractor until April, and the contractor in turn told the TSP on April 10. The TSP did not make its announcement until Friday.
Among other questions, Collins asked in her letter when the identity of the affected TSP participants was first assessed, and why Congress was not immediately notified and kept up to date as more details of the incident became known.
“I want to assess the process and time frame whereby this attack was discovered and addressed,” Collins wrote, noting that her committee oversees
cyber-security issues government-wide.
The FBI has declined to comment on when the breach was detected.
The TSP has said it needed the time between when it was notified and when it made its disclosure to analyze the information provided by the FBI and match it against TSP accounts to determine who was affected and what information was lost.
“We wanted to be able to inform the affected individuals as quickly as we could without unnecessarily scaring the vast majority of our participants who are unaffected,” TSP spokeswoman Kim Weaver said in an e-mail. She said the agency is working on a response to Collins.
The attack was made against a contractor, Serco, which along with the TSP has said it regrets the incident and has called the attack a sophisticated one.
The TSP has said that it has no evidence that the illegally accessed information has been misused and that it is monitoring affected accounts and making available the services of a credit-monitoring and consulting firm it has hired.