Pension Plan Clarifies Breach DiscoveryCongress Gets Thrift Savings Plan Incident Update
In response to Congress' request for additional information, the Federal Retirement Thrift Investment Board has changed its story about how it found out about a July 2011 data breach affecting its Thrift Savings Plan. The breach is believed to have exposed personally identifiable information on as many as 123,000 retirement plan participants. (See Why Did Hackers Hit the Fed Pension Plan?)
The Thrift Savings Plan is a retirement savings plan, similar to a 401(k), for federal employees in all branches of government, the U.S. Postal Service and members of the uniformed services.
In a letter sent to the Federal Retirement Thrift Investment Board on May 29, Sen. Susan Collins, R-Maine, ranking member of the Senate Homeland Security and Governmental Affairs Committee, which oversees the Thrift Savings Plan, asked for more details about the sophisticated cyber-attack disclosed on May 25.
In its June 5 response, the board changes its account of how it learned about the breach, but offers few other new details.
The board says it was notified on April 10 by Serco Inc., a third-party service provider it hired in 2011, that one of its computers suffered a sophisticated cyberattack in July 2011. Serco provides professional, technology and management services focused on the federal government.
Initially, in its May 25 notice about the incident, the board said it was notified of the breach on April 11 by the FBI.
In the response to Sen. Collins, the board says it and Serco "immediately acted to isolate and contain the suspected source of the data," the June 5 response letter states.
"After a combined investigation, on April 13, the FRTIB and Serco determined that data belonging to the FRTIB, including personally identifiable information of TSP participants, had been compromised. Within one hour of the discovery, the FRTIB notified U.S. CERT (Computer Emergency Readiness Team) as required by the Federal Information Security Management Act."
The board did not explain why the July 2011 breach was not discovered until April 2012, nor did it clarify the role the FBI played in the discovery of the breach.
The board did, however, say it did not initially know which pension plan participants had been affected. Thus, it took the board and Serco until May 4 to compile a list of Social Security numbers and other information that had been compromised.
"On May 8, the FRTIB produced a file that was verified against our TSP participant database," the response reads. "On May 20, the FRTIB received an independent verification and validation confirming that the various files that had been accessed had been completely and correctly analyzed to accurately capture the affected population."
The board says it needed time to drill down to determine the breadth of the breach, which is why it did not notify Congress until May 25.
Officials at the board provided Collins' office with copies of the two versions of the breach response letters it mailed to affected participants but asked that those letters not be made public. The board says that less than half of the affected participants had financial account numbers and routing numbers exposed during the attack.
The board also says it is reviewing its incident-handling procedures to determine when Congressional notifications of breaches should be made.
More Behind the Breach?
In its letter, the board says it has no evidence that the exposed information was misused for financial gain. But some experts, such as David Land, an IT security expert and former Cyber Counterintelligence Officer for the Oak Ridge National Laboratory and the U.S. Department of Energy, speculate that the attack was waged for intelligence-gathering purposes.
Many of the federal employees and service members hit by the breach probably have security clearance to sensitive and classified information, Land says.
"Were I to guess, this was likely a foreign-state-sponsored effort to gain intelligence and potential targeting information," Land says.