Pension Plan Clarifies Breach Discovery

Congress Gets Thrift Savings Plan Incident Update
Pension Plan Clarifies Breach Discovery

In response to Congress' request for additional information, the Federal Retirement Thrift Investment Board has changed its story about how it found out about a July 2011 data breach affecting its Thrift Savings Plan. The breach is believed to have exposed personally identifiable information on as many as 123,000 retirement plan participants. (See Why Did Hackers Hit the Fed Pension Plan?)

See Also: Webinar | 2023 OT Cybersecurity Year in Review: Lessons Learned from the Frontlines

The Thrift Savings Plan is a retirement savings plan, similar to a 401(k), for federal employees in all branches of government, the U.S. Postal Service and members of the uniformed services.

In a letter sent to the Federal Retirement Thrift Investment Board on May 29, Sen. Susan Collins, R-Maine, ranking member of the Senate Homeland Security and Governmental Affairs Committee, which oversees the Thrift Savings Plan, asked for more details about the sophisticated cyber-attack disclosed on May 25.

In its June 5 response, the board changes its account of how it learned about the breach, but offers few other new details.

The board says it was notified on April 10 by Serco Inc., a third-party service provider it hired in 2011, that one of its computers suffered a sophisticated cyberattack in July 2011. Serco provides professional, technology and management services focused on the federal government.

Initially, in its May 25 notice about the incident, the board said it was notified of the breach on April 11 by the FBI.

In the response to Sen. Collins, the board says it and Serco "immediately acted to isolate and contain the suspected source of the data," the June 5 response letter states.

"After a combined investigation, on April 13, the FRTIB and Serco determined that data belonging to the FRTIB, including personally identifiable information of TSP participants, had been compromised. Within one hour of the discovery, the FRTIB notified U.S. CERT (Computer Emergency Readiness Team) as required by the Federal Information Security Management Act."

The board did not explain why the July 2011 breach was not discovered until April 2012, nor did it clarify the role the FBI played in the discovery of the breach.

The board did, however, say it did not initially know which pension plan participants had been affected. Thus, it took the board and Serco until May 4 to compile a list of Social Security numbers and other information that had been compromised.

"On May 8, the FRTIB produced a file that was verified against our TSP participant database," the response reads. "On May 20, the FRTIB received an independent verification and validation confirming that the various files that had been accessed had been completely and correctly analyzed to accurately capture the affected population."

The board says it needed time to drill down to determine the breadth of the breach, which is why it did not notify Congress until May 25.

Officials at the board provided Collins' office with copies of the two versions of the breach response letters it mailed to affected participants but asked that those letters not be made public. The board says that less than half of the affected participants had financial account numbers and routing numbers exposed during the attack.

The board also says it is reviewing its incident-handling procedures to determine when Congressional notifications of breaches should be made.

More Behind the Breach?

In its letter, the board says it has no evidence that the exposed information was misused for financial gain. But some experts, such as David Land, an IT security expert and former Cyber Counterintelligence Officer for the Oak Ridge National Laboratory and the U.S. Department of Energy, speculate that the attack was waged for intelligence-gathering purposes.

Many of the federal employees and service members hit by the breach probably have security clearance to sensitive and classified information, Land says.

"Were I to guess, this was likely a foreign-state-sponsored effort to gain intelligence and potential targeting information," Land says.

About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by, ABC News, and MSN Money.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.