TSP head expresses regret over cyberattack

The head of the Thrift Savings Plan expressed regret on Tuesday over not having a policy in place earlier to notify participants of security breaches to their retirement accounts.

The Federal Retirement Thrift Investment Board implemented a breach notification plan in June, Gregory Long, the board’s executive director, said during a hearing on Capitol Hill. That was about two months after the board learned of a 2011 cyberattack that led to the unauthorized access to the accounts of as many as 123,000 plan participants and other recipients of TSP plan payments.

Long blamed “a lack of resources” for the board’s inability to develop a plan to inform TSP participants of security breaches when they occur. “The past decade has been a time of dramatic expansion for the agency, in the number of participants, the dollars invested in the TSP and the services provided to our participants and beneficiaries,” he said. “This growth taxed the agency’s ability to complete all that needed to be done.”

The board and Serco Inc., the contractor that provides services to the TSP, took more than six weeks to determine which participants were affected by the July 2011 cyberattack on a Serco computer. Long said the board used 2007 guidance on cybersecurity from the Office of Management and Budget in responding to the security breach.

Sen. Daniel Akaka, D-Hawaii, said he was concerned the board did not have a breach notification policy when the agency learned about the cyberattack in April. Akaka, who chairs the Senate Homeland Security and Governmental Affairs federal workforce subcommittee has asked the Government Accountability Office to determine how many other agencies have failed to incorporate OMB’s guidance and whether sufficient oversight of compliance exists. Akaka was one of 43 members of Congress who was affected by the security breach. He has offered an amendment to the 2012 Cybersecurity Act, which the Senate is considering Tuesday evening, that would make it mandatory for every federal agency to have a breach notification policy in place.

Akaka “hasn’t suffered any consequences thus far,” as a result of the cyberattack, his communications director, Jesse Broder Van Dyke, said by email. Broder Van Dyke also said the hearing on the topic and the senator’s amendment “were in the works” before he knew his personal information was improperly accessed along with other TSP enrollees.

The board administers individual accounts for more than 4.5 million federal and postal employees, members of the uniformed services, retirees, and spousal beneficiaries. As of June 30, the TSP held approximately $313 billion in retirement savings.

“I deeply regret the cyberattack and the concern that it caused our participants,” Long told lawmakers. “I want to take this opportunity to assure all our participants and beneficiaries that we will continue to pursue all new avenues of data and computer security to ensure the safety and security of their personal data and their retirement funds.”