The Washington PostDemocracy Dies in Darkness

Don’t phish in our pond, TSP tells Pentagon

Placeholder while article actions load

The Thrift Savings Plan has told the Pentagon it was “very dismayed” about an e-mail that an Army component sent to test cybersecurity awareness but that snowballed into widespread concern about the safety of investments in the 401(k)-style program for federal employees and military personnel.

The fake phishing e-mail stated that TSP investors needed to reset their passwords because their accounts had been compromised and provided a link to a Web address that closely resembled the official TSP address,

“I am writing to express our serious concerns with this exercise and to request that the TSP not be used in future training exercises,” TSP Executive Director Gregory T. Long wrote in largely identical letters sent last month to the chief information officers of the Defense Department, the Army and the U.S. Southern Command. “As with any financial institution, it is imperative that we earn and maintain the trust of our participants, as we hold their retirement savings in our plan.”

The TSP provided the letters at the request of The Washington Post.

Although the fake e-mail was sent originally to only 34 persons, it soon spread inside the Army and then to numerous other agencies, spurring concerned calls to the TSP. The TSP’s information security office started tracing the e-mail, ultimately determining that the fake site was owned by the Army, and the TSP posted a warning about the dangers of identity theft posed by sites mirroring its own.

Meanwhile, agencies, including the FBI, notified employees that the e-mail was fake; the U.S. Computer Emergency Response Team distributed a notice about it to all federal agencies; and the Financial Services Information Sharing and Analysis Center issued a warning to financial institutions.

“This entire episode could have easily been avoided had the exercise not taken liberties with the Thrift Savings Plan name and brand,” Long wrote, pointing out the wasted “time and attention from computer security staffs at a number of federal agencies,” in addition to the TSP’s own troubles.

A DoD official said in March that future phishing tests will be approved by the CIO’s office and that if a recognizable entity such as the savings plan is used, the organization will be asked whether it wants to participate.

Meanwhile, the TSP this week strengthened its password requirements for its online account access feature but is not sending e-mails to participants telling them they need to change their passwords. Instead, participants whose passwords do not meet the new standards will have to make a change the next time they log in.

“E-mail links indicating that you need to reset your password may send you to fraudulent websites, and these websites may steal your login credentials when you enter them,” a notice on the TSP site says.