The long lag-time in notifying TSP participants of breach, explained
The Federal Retirement Thrift Investment Board and Serco Inc. took more than six weeks to determine which Thrift Savings Plan participants were affected by the July 2011 cyberattack on a Serco computer, compromising the personal information of more than 123,000 TSP participants, a new account shows.
In a response to a query from Sen. Susan Collins, R-Maine, last week, Greg Long, the board’s executive director, provided a timeline explaining the lapse between early April, when Serco notified the board of the July 2011 incident, and late May, when TSP participants and lawmakers were notified.
The new details include:
- On April 10, Serco explained to FRTIB, which is under contract with Serco for record-keeping services until the end of fiscal 2013, that its system had been compromised. At the time, Serco did not know if the hacker had accessed TSP data. Three days later, FRTIB and Serco determined TSP participants’ information was part of the breach.
- An hour after learning that its data had been compromised, FRTIB notified the U.S. Computer Certification Readiness Team in compliance with the 2002 Federal Information Security Management Act.
- By May 4, the team had compiled a list of Social Security numbers and additional information, such as TSP account numbers, that had been compromised. At the time, no names were matched to the information.
- On May 20, the board received “an independent verification and validation confirming that the various files that had been accessed had been completely and correctly analyzed to accurately capture the affected population,” the letter stated.
Affected TSP participants were then notified of the breach via snail mail on May 23, and lawmakers were told two days later. Collins also pressed the board to explain why lawmakers were not notified of until May 25. Long replied the board wanted to wait until it had complete information about the data that was compromised and which participants were affected.
“It was critical that the FRTIB understand the scope of the incident prior to briefing Congress, such that it could provide a full and comprehensive explanation of the incident,” Long wrote.
The board sent one of two different letters out on May 23 to beneficiaries affected by the attack.
The FBI’s response to Collins’ query also was due Tuesday, but had not been delivered to Capitol Hill at publication time.
In addition, the House Oversight and Government Reform committee is reviewing the incident.