It’s been nearly three weeks since the Thrift Savings Plan board announced a data breach of 123,000 TSP accounts, and since then, the board has been fielding questions from participants, Congress and the media.
One of the most common questions: Is my account safe?
If a participant did not receive a letter from the TSP board, their account is not affected by the breach, said Greg Long, the executive director of the TSP, in an interview with Your Turn with Mike Causey.
The 123,000 participants whose data was compromised received a letter from the TSP board dated May 25 notifying them of the data breach and offering a free credit monitoring service for one year.
In July 2011, a breach at a TSP contractor — Serco, Inc. — compromised the data of 123,000 accounts. Most of the data accessed included social security numbers only. However, of those 123,000, about 43,000 participants had their names, addresses, social security numbers and other information — possibly bank routing numbers — also compromised,
The TSP board would have a participant’s bank routing number only if the person is in a payment status, “which is more likely if you are retired,” Long said.
Long emphasized that of the total 4.5 million TSP participants, the breach only affects less than 3 percent of the TSP population.
He pointed out that despite the data breach, there was no indication the data had been misused.
“Nobody lost a nickel in any of this,” Long said.
Another question is why it took so long for the board to find out about the breach, which occurred in July 2011 — the board did not find out from the FBI until April of this year. Sen. Susan Collins (R-Maine) has called on the FBI to answer questions about the hack, including when the FBI knew about the breach.
That question — along with where the attack came from — is not information the TSP board has at this time, Long said.
“We don’t do criminal investigations. The FBI does,” he said.
He added, “My job … once we knew about this, is to figure out how to respond, how to make sure it never happens again and figure out how to be transparent with our participants now that we’ve announced it.”
Moving forward means taking a hard look at the board’s own computer systems. Although TSP.gov was not a target in this breach, the incident was a reminder that “cyber risk is everywhere,” Long said.
“While the bad guys build ladders, we’re trying to build better and stronger walls everyday,” he said.
The 123,000 accounts were on a single Serco computer that was a target of the cyber attack, Long said. That computer has been taken offline and scanned. The TSP board also took a “very significant look” at the entire network at that company, he said.
The board is now examining a “longer-term” solution to cybersecurity.
“That’s not something you can do with bailing wire and chewing gum. We’ve got to put some significant thought behind how you architect the system for the future,” Long said.