The TSP recordkeeper transition was intended to improve security, but hackers were able to get into some participants' accounts and make hardship withdrawals.

The TSP recordkeeper transition was intended to improve security, but hackers were able to get into some participants' accounts and make hardship withdrawals. Andrew Brookes / Getty Images

TSP’s Recordkeeper Transition Created an Opportunity for Hackers to Steal Accounts, a Victim Says

Over the summer, a hacker was able to claim a VA psychologist’s TSP online account access and filed a nearly $100,000 hardship withdrawal.

The first time that Veterans Affairs Department psychologist Kristy Ditzler heard that the Thrift Savings Plan had switched to a new recordkeeping service and that she needed to set up a new account was in September, when she received a letter informing her that someone had already done it on her behalf.

“On Sept. 7, I got a piece of paper mail from the TSP and I opened it on the morning of the eighth, and it said, ‘Your account has been claimed and your contact info was changed, and if you did not take that action then call us,’” Ditzler said. “So I called at 7:30 that morning and found out that in fact, on Aug. 21, somebody took over my account, changed the user name and password, and then took a hardship withdrawal for $98,543.”

In June, the TSP moved to the new recordkeeper vendor Accenture Federal Services, touting better security and functionality for users. But since then, participants have reported a cavalcade of problems, from difficulty proving their identity to set up new accounts and having to resubmit beneficiary designations to the loss of historical account data. Many of the issues were exacerbated by Accenture’s vast underestimate of the volume of calls seeking assistance at the TSP’s customer service hotline, and subsequent call center understaffing.

When Ditzler contacted the ThriftLine, a representative encouraged her to lock her account to prevent further theft of her retirement savings—something she could not do because she could not access her account anymore—and filed a report for the TSP’s anti-fraud team. The next day, she filed a report with the FBI’s identity theft website, but over the next three weeks, she heard nothing from TSP about her case.

“I called the TSP every day for the next several days and never got past, ‘What’s your phone number and your PIN number?’ even though again and again I had to say, ‘My account was hacked, the PIN is fraudulent, and the email address isn’t mine,’ ” she said. “They would never help me, they wouldn’t listen to me or take me seriously.”

The next time Ditzler got an update on her case, it wasn’t from the TSP. She said an investigator from VA’s Office of Inspector General called her on Oct. 3 and said that multiple employees of the department had accounts stolen out from under them.

“He told me someone had made eight different attempts from different IP addresses before finally getting into my account,” Ditzler said. “Despite [the suspicious login activity], my account did not get locked.”

The VA Office of the Inspector General told Government Executive that it does not confirm or deny the existence of any ongoing investigations.

On Oct. 12, Ditzler said she finally heard from the TSP’s anti-fraud team. They told her that the Treasury Department had prevented her money being disbursed from the hardship withdrawal, and was holding onto it while law enforcement continues to investigate. Although that was seemingly good news, she said the person she spoke to declined to provide a name or contact information so that she could follow up about her case.

“They told me that I would be made whole, but they didn’t give me an ETA on when to expect that,” Ditzler said. “So, I’m sitting here missing $98,000 and my account is frozen, and all I can do is wait for secret phone calls.”

TSP spokeswoman Kim Weaver confirmed that Ditzler was the victim of a “bad actor,” and that her money had been recovered, although she could not comment further on the case due to an ongoing law enforcement investigation.

“I would emphasize that the TSP has a robust anti-fraud program that is constantly surveilling the accounts of TSP participants for fraudulent activity,” she said. “As with this instance, if needed, our anti-fraud team will reach out to law enforcement for assistance.”

Weaver urged all TSP participants to ensure their accounts are secure in the new recordkeeping system.

“We encourage participants to always practice good cyber hygiene and log into their TSP regularly to verify their information,” she said. “This is why we have been encouraging our participants to set up their new passwords for their accounts.”

Ditzler suspects the culprit was able to get into her account through a combination of brute force and use of her personally identifiable information that was exposed during the 2014 Office of Personnel Management hack. Although she said she was relieved to learn money would be restored to her account—she was notified that the restoration was processing after Government Executive’s inquiries to the TSP—the experience has soured her on the 401(k)-style retirement program.

“What I was so horrified to discover with the TSP is you’re basically nothing but an account number, a PIN, an email and a phone number,” Ditzler said. “You as a person don’t really exist to them, and if any of that gets changed, you’re out of luck and there’s no advisor to speak to, no genuine concern. I’m pretty good at keeping my act together as a psychologist, but I really lost my cool multiple times on the phone with people who kept reading scripts to me.”

“I plan to roll it all into a private IRA and be done with them,” she said.