Room for confusion in letters sent to TSP cyberattack victims

Nearly 1 in 40 Thrift Savings Plan beneficiaries has received one of two types of letters informing them that their personal information was compromised in a July 2011 cyberattack. Recipients of these letters, however, still may be unsure about the extent of their exposure.

The Federal Retirement Thrift Investment Board sent two different letters on May 23 to the 123,201 affected TSP participants: More than 43,000 received a letter explaining that their Social Security numbers, names and addresses had been compromised; almost 80,000 received a different letter informing them that their Social Security numbers were exposed and there also was the possibility that their TSP information was accessed by the cyberattacker who hacked into the computer of TSP contractor Serco Inc. nearly a year ago.

Joe Wallace, a retired Air Force member, was among those in the second group. But the language in the letter he received is confusing, he told Government Executive. He was told the hacker accessed a file that contained his Social Security number. But Wallace isn’t sure if he’s among a subgroup whose TSP information was also compromised.

A copy of the letter sent to those in Wallace’s group, obtained by Government Executive, does not clearly state whether it is one of two types sent or which group the recipient falls into. “For some individuals, the [compromised] file also contained your TSP account number,” the letter reads, but it does not specify whether the recipient is among them.

“The letter is largely worthless as it is very vague in explaining what happened,” Wallace said.

Wallace will have to contact the FRTIB to find out whether his account information was accessed in addition to his Social Security number, FRTIB director of external affairs Kim Weaver said.

The more than 43,000 in the first unlucky group also must call the board to determine if they are among more than 20,000 participants whose financial information may have been compromised, in addition to their Social Security numbers, names and addresses.

“You’d need to send a million letters” to contact every subgroup of affected beneficiaries, Weaver said, “and we just didn’t have time.”

The board has said repeatedly it does not have reason to believe the information exposed in the attack has been misused -- a fact it stressed in the days following the initial announcement of the event. Still, the board is paying for a year’s worth of credit monitoring for affected beneficiaries.

Weaver said the board replied on time to a query last week from Sen. Susan Collins, R-Maine. Collins pressed both the TSP board and the FBI to explain the lapse in time between when the bureau became aware of the July 2011 attack and when the board was notified, and the lapse in time between when the board was notified and participants were notified.

Wallace was also a victim of the September 2011 breach of 4.9 million TRICARE beneficiaries’ health information. That data was stored on backup computer tapes stolen from TRICARE contractor Science Applications International Corp. He said he is more worried about the recent Serco and FRTIB breach.

“The TRICARE-SAIC loss was encrypted and looks like a simple theft. This computer hacking is much more troubling,” Wallace said.

Weaver said officials realized the breach “has the potential to shake peoples’ trust” in the board. Citing the establishment of call centers to answer questions, she said the board is doing its best to be responsive to affected participants and is continuing to work with the pending FBI investigation.

TSP officials have said cyberattacks have become more common governmentwide, something Wallace knows firsthand.

“I have to believe I am the only two-time loser but I may not be alone,” he said.