A key senator asked the Thrift Savings Plan for more details Tuesday on the data security breach that resulted in the disclosure of the Social Security numbers and other information of more than 123,000 federal employees and other TSP account holders.
The request from Sen. Susan Collins of Maine, the ranking Republican on the Senate Homeland Security and Governmental Affairs Committee which oversees the TSP, comes as affected account holders are receiving notification letters that the 401(k)-style retirement savings program began mailing last Friday.
The TSP disclosed that day that the Social Security numbers of 123,201 participants had been stolen, out of the 4.5 million federal employees and uniformed services personnel and retirees who have accounts. About a third of those affected also had names and addresses stolen in the cyberattack, and in some of those cases, additional information, including financial account numbers and routing numbers, was taken. The other two-thirds lost some TSP-related information in addition to their Social Security numbers.
Collins’s letter reflects concerns raised by many employees since the announcement regarding the sequence of events. While the breach occurred last July, the FBI did not notify the affected contractor until April and the contractor in turn told the TSP on April 10. The TSP did not make its announcement until May 25.
Among other questions, Collins asked in her letter when the identity of the affected TSP participants was first assessed, and why Congress was not immediately notified and kept up to date as more details of the incident became known. “I want to assess the process and timeframe whereby this attack was discovered and addressed,” Collins wrote, noting that her committee oversees cybersecurity issues government-wide.
The FBI has declined to comment on when the breach was first detected. The TSP has said it needed the time between when it was notified and when it made its disclosure to analyze the information provided by the FBI and match it against TSP accounts to determine who was affected and what information was lost.
“We wanted to be able to inform the affected individuals as quickly as we could without unnecessarily scaring the vast majority of our participants who are unaffected,” TSP spokeswoman Kim Weaver said in an e-mail. She said the agency is working on a response to Collins.
The attack was made against a contractor, Serco, which along with the TSP has said it regrets the incident and has called the attack a sophisticated one. The TSP has said it has no evidence that the illegally accessed information has been misused; it is monitoring affected accounts and making available the services of a credit-monitoring and consulting firm it has hired.