Security Breach Did Not Affect TSP Accounts

The Thrift Savings Plan accounts of federal employees were not affected in the latest major cyberattack on the Office of Personnel Management, according to a spokeswoman for the agency that manages the retirement investments.

TSP data, including account numbers, is not shared with OPM, “so they wouldn’t have that information in their database,” said Kim Weaver, director of external affairs at the Federal Retirement Thrift Investment Board, which administers the TSP. The agency also posted a statement on its website Friday reminding enrollees that their information is not shared with OPM.

The security breach, which was discovered by federal officials in April and announced on Thursday, affects 4 million current and former federal employees whose personal information is potentially at risk. It’s the fourth network intrusion of an organization holding sensitive records on personnel with possible access to classified information. OPM alone has been attacked by hackers twice during the past year.

Federal officials told the Washington Post that the breach was the work of hackers acting on behalf of China. The intruders gained access to “employees’ Social Security numbers, job assignments, performance ratings and training information,” the Post reported.

From June 8 to June 19, OPM will send notices to the 4 million current and former federal employees whose personal data was potentially compromised. OPM will offer the 4 million people whose data was potentially exposed free credit monitoring services and identity theft insurance with CSID, a private firm. OPM said employees and retirees would receive 18-month memberships that include “credit report access, credit monitoring, identity theft insurance and recovery services.”

Auditors told the TSP board at its monthly meeting in April that it needs to shore up its cybersecurity to prevent hackers from accessing its systems and potentially compromising the personal data of federal employee and retiree participants.

Ian Dingwall, chief accountant at the Labor Department’s Employee Benefits Security Administration, said at the meeting that many of the security issues have been identified for years but the TSP board has failed to resolve them. Without updates, the agency “will not be able to prevent…unauthorized disclosure of the systems and data,” Dingwall said. There are significant holes in the agency’s mainframe and access management, he added, “collectively opening the agency to unnecessary risk.”

The TSP board manages the retirement investment plans for more than 4.7 million participants with $450 billion in total assets. In 2012, a TSP contractor’s computer was hacked, putting the personal information of 123,000 TSP participants at risk. The board found no evidence that any of that data was misused, or that the TSP network was affected. 

(Image via Joana Lopes / Shutterstock.com)