TSP Participants Could Be Vulnerable to Hackers, Auditors Say

The agency running the Thrift Savings Plan has not implemented the proper controls to prevent hackers from accessing its systems and potentially compromising the personal data of federal employee and retiree participants, federal auditors said on Monday.

Representatives from the Labor Department’s Employee Benefits Security Administration told the Federal Retirement Thrift Investment Board at its monthly meeting it was not progressing with fixes to potential security lapses quickly enough. Ian Dingwall, EBSA’s chief accountant, said many of the security issues have been identified for years but FRTIB has failed to resolve them.

Without updates, FRTIB “will not be able to prevent…unauthorized disclosure of the systems and data,” Dingwall said. There are significant holes in the agency’s mainframe and access management, he added, “collectively opening the agency to unnecessary risk.”

The goal is to “make sure your systems are world class,” Dingwall said. “We think they ought to be.”

FRTIB manages the retirement investment plans for more than 4.7 million participants with $450 billion in total assets. After successful hacks of agencies such as the State Department and the U.S. Postal Service, agencies across government have been looking to boost their cybersecurity efforts. A data breach at FRTIB could potentially lead to not just personal data access, but also loans and withdrawals from enrollee’s accounts. Hackers could also add fictitious names as designated beneficiaries to collect payments when a participant passes away.

To help prevent such attacks and to identify specific vulnerabilities, Labor auditors have suggested penetration testing. Dingwall likened the process to allowing the investigators into the front door of a home so they could determine what would be immediately available to steal.

Someone successfully breaking into an agency’s system “seems like a fact of life these days,” Dingwall said. FRTIB must therefore ensure the amount of information a hacker could scrape upon entering the system is limited, he added.

Despite support for the project from the TSP’s governing board, FRTIB has thrown up roadblocks that have disrupted the auditors’ schedule.

The agency said it must lay out the parameters within which the Labor Department and contracted reviewers would be confined. Dingwall agreed such a framework was necessary, but argued the hurdles the agency is making him clear are too high. After all, government auditors are not planning “to steal any ashtrays” once inside the “home.”

Dingwall added if he must deal with all the restrictions FRTIB has proposed, “we’ll never get [the testing] done.” Labor promised to keep the board apprised of its progress with FRTIB officials in the coming months.

(Image via scyther5 / Shutterstock.com)