The Washington Post

Don’t phish in our pond, TSP tells Pentagon


One of the government’s smallest agencies has written to the largest to say, in effect, that if you want to go phishing, do it somewhere else.

The Thrift Savings Plan has told the Pentagon it was “very dismayed” about an e-mail that an Army component sent to test cybersecurity awareness but that snowballed into widespread concern about the safety of investments in the 401(k)-style program for federal employees and military personnel.

The fake phishing e-mail stated that TSP investors needed to reset their passwords because their accounts had been compromised and provided a link to a Web address that closely resembled the official TSP address,

“I am writing to express our serious concerns with this exercise and to request that the TSP not be used in future training exercises,” TSP Executive Director Gregory T. Long wrote in largely identical letters sent last month to the chief information officers of the Defense Department, the Army and the U.S. Southern Command. “As with any financial institution, it is imperative that we earn and maintain the trust of our participants, as we hold their retirement savings in our plan.”

The TSP provided the letters at the request of The Washington Post.

Although the fake e-mail was sent originally to only 34 persons, it soon spread inside the Army and then to numerous other agencies, spurring concerned calls to the TSP. The TSP’s information security office started tracing the e-mail, ultimately determining that the fake site was owned by the Army, and the TSP posted a warning about the dangers of identity theft posed by sites mirroring its own.

Meanwhile, agencies, including the FBI, notified employees that the e-mail was fake; the U.S. Computer Emergency Response Team distributed a notice about it to all federal agencies; and the Financial Services Information Sharing and Analysis Center issued a warning to financial institutions.

“This entire episode could have easily been avoided had the exercise not taken liberties with the Thrift Savings Plan name and brand,” Long wrote, pointing out the wasted “time and attention from computer security staffs at a number of federal agencies,” in addition to the TSP’s own troubles.

A DoD official said in March that future phishing tests will be approved by the CIO’s office and that if a recognizable entity such as the savings plan is used, the organization will be asked whether it wants to participate.

Meanwhile, the TSP this week strengthened its password requirements for its online account access feature but is not sending e-mails to participants telling them they need to change their passwords. Instead, participants whose passwords do not meet the new standards will have to make a change the next time they log in.

“E-mail links indicating that you need to reset your password may send you to fraudulent websites, and these websites may steal your login credentials when you enter them,” a notice on the TSP site says.

The Freddie Gray case

Please provide a valid email address.

You’re all set!

Campaign 2016 Email Updates

Please provide a valid email address.

You’re all set!

Get Zika news by email

Please provide a valid email address.

You’re all set!
Show Comments
The Democrats debate Thursday. Get caught up on the race.
The big questions after New Hampshire, from The Post's Dan Balz
Can Bernie Sanders cut into Hillary Clinton's strength in the minority community and turn his challenge into a genuine threat? And can any of the Republicans consolidate anti-Trump sentiment in the party in time to stop the billionaire developer and reality-TV star, whose unorthodox, nationalistic campaign has shaken the foundations of American politics?
Clinton in New Hampshire: 2008 vs. 2015
Hillary Clinton did about as well in N.H. this year as she did in 2008, percentage-wise. In the state's main counties, Clinton performed on average only about two percentage points worse than she did eight years ago (according to vote totals as of Wednesday morning) -- and in five of the 10 counties, she did as well or better.
Upcoming debates
Feb. 11: Democratic debate

on PBS, in Wisconsin

Feb 13: GOP debate

on CBS News, in South Carolina

Feb. 25: GOP debate

on CNN, in Houston, Texas

Campaign 2016
Where the race stands

To keep reading, please enter your email address.

You’ll also receive from The Washington Post:
  • A free 6-week digital subscription
  • Our daily newsletter in your inbox

Please enter a valid email address

I have read and agree to the Terms of Service and Privacy Policy.

Please indicate agreement.

Thank you.

Check your inbox. We’ve sent an email explaining how to set up an account and activate your free digital subscription.