Shows & Panels
- Accelerate and Streamline for Better Customer Service
- Ask the CIO
- The Big Data Dilemma
- Carrying On with Continuity of Operations
- Client Virtualization Solutions
- Data Protection in a Virtual World
- Expert Voices
- Federal Executive Forum
- Federal IT Challenge
- Federal Tech Talk
- Feds in the Cloud
- Health IT: A Policy Change Agent
- Improving Healthcare Outcomes through IT Policy
- IT Innovation in the New Era of Government
- Making Dollars And Sense Out of Data Center Consolidation
- Navigating the Private Cloud
- One Step to the Cloud, Two Steps Toward Innovation
- Path to FDCCI Compliance
- Take Command of Your Mobility Initiative
Shows & Panels
TSP executive director gives update on data breach
Wednesday - 6/13/2012, 9:23pm EDT
One of the most common questions: Is my account safe?
If a participant did not receive a letter from the TSP board, their account is not affected by the breach, said Greg Long, the executive director of the TSP, in an interview with Your Turn with Mike Causey.
The 123,000 participants whose data was compromised received a letter from the TSP board dated May 25 notifying them of the data breach and offering a free credit monitoring service for one year.
In July 2011, a breach at a TSP contractor — Serco, Inc. — compromised the data of 123,000 accounts. Most of the data accessed included social security numbers only. However, of those 123,000, about 43,000 participants had their names, addresses, social security numbers and other information — possibly bank routing numbers — also compromised,
The TSP board would have a participant's bank routing number only if the person is in a payment status, "which is more likely if you are retired," Long said.
Long emphasized that of the total 4.5 million TSP participants, the breach only affects less than 3 percent of the TSP population.
He pointed out that despite the data breach, there was no indication the data had been misused.
"Nobody lost a nickel in any of this," Long said.
Another question is why it took so long for the board to find out about the breach, which occurred in July 2011 — the board did not find out from the FBI until April of this year. Sen. Susan Collins (R-Maine) has called on the FBI to answer questions about the hack, including when the FBI knew about the breach.
That question — along with where the attack came from — is not information the TSP board has at this time, Long said.
"We don't do criminal investigations. The FBI does," he said.
He added, "My job ... once we knew about this, is to figure out how to respond, how to make sure it never happens again and figure out how to be transparent with our participants now that we've announced it."
Moving forward means taking a hard look at the board's own computer systems. Although TSP.gov was not a target in this breach, the incident was a reminder that "cyber risk is everywhere," Long said.
"While the bad guys build ladders, we're trying to build better and stronger walls everyday," he said.
The 123,000 accounts were on a single Serco computer that was a target of the cyber attack, Long said. That computer has been taken offline and scanned. The TSP board also took a "very significant look" at the entire network at that company, he said.
The board is now examining a "longer-term" solution to cybersecurity.
"That's not something you can do with bailing wire and chewing gum. We've got to put some significant thought behind how you architect the system for the future," Long said.