More than 120,000 federal employees and other account holders in the Thrift Savings Plan had personal information including Social Security numbers accessed last year in a “sophisticated cyber attack,” the TSP announced Friday morning.
The TSP is sending letters to affected individuals including information on how to contact a call center that has been established to offer services such as credit monitoring. Also, the TSP is monitoring the affected accounts for suspicious activity.
The attack was made last July against a contractor, Serco Inc., which along with the TSP was notified last month by the FBI. The company and the agency shut down the compromised computer, started a review of computer security procedures and beefed up protections, the TSP said in its announcement.
“We sincerely regret that this event occurred and we will provide assistance and support to affected individuals through a call center and credit monitoring,” TSP executive director Greg Long said in a statement. “We are working with Serco and other security experts to ensure that TSP data is protected and secure.”
Ed Casey, Serco chairman and chief executive officer said in a statement, “Serco regrets this incident and the inconvenience it may cause to some Thrift Savings Plan participants and payees whose personal data was involved. It is an unfortunate reminder that federal government and private company IT assets, computers and data are under pervasive, sophisticated attack.”
Social Security numbers were stolen from all of the 123,201 affected accounts. Some 79,600 of them had only some TSP-related information taken in addition, while the remainder also had names and addresses stolen. In some of those cases, financial account numbers and routing numbers also were taken.
“We have no reason to believe that this data has been used or misused in any way,” TSP spokeswoman Kim Weaver said. She said it was the first such incident involving the TSP.
Weaver said the TSP needed more than a month after being informed to cross-match information provided by the FBI against TSP account files to determine which participants were affected, and what of their information was lost.
A spokeswoman for the FBI said the investigation is ongoing and had no comment on what triggered the inquiry or when the breach was first discovered.
While the incident involved a contractor’s computer, information security is an ongoing concern for the government and has been the subject of numerous reports, congressional hearings and legislative proposals. According to an October 2011 report by the Government Accountability Office, federal agencies are experiencing increasing numbers of security incidents that put sensitive information at risk. The number of attacks reported by agencies to a central information security incident center increased from 5,503 in fiscal year 2006 to 41,776 incidents in fiscal year 2010, the report said.
The TSP is a 401(k)-style retirement savings plan available to active and retired federal employees and uniformed services personnel, with about 4.5 million account holders. The incident did not affect the TSP’s Web site, www.tsp.gov, through which account holders can make various transactions, the agency said.
This story has been updated.