Shows & Panels
- The 2014 Big Picture on Cyber Security
- AFCEA Answers
- Ask the CIO
- Connected Government
- Consolidating Mission-critical Systems
- Constituent Servicing
- Continuous Monitoring: Tools and Techniques for Trustworthy Government IT
- The Data Privacy Imperative: Safeguarding Sensitive Data
- Eliminating the Pitfalls: Steps to Virtualization in Government
- Federal Executive Forum
- Federal Tech Talk
- Government Cloud Brokerage: Who, What, When, Where, Why?
- Government Mobility
- Mission-critical Apps in the Cloud
- Mobile Device Management
- The Modern Federal Threat Landscape
- The Path from Legacy Systems
- Understanding the Intersection of Customer Service and Security in the Cloud
Shows & Panels
TSP executive director gives update on data breach
Wednesday - 6/13/2012, 9:23pm EDT
One of the most common questions: Is my account safe?
If a participant did not receive a letter from the TSP board, their account is not affected by the breach, said Greg Long, the executive director of the TSP, in an interview with Your Turn with Mike Causey.
The 123,000 participants whose data was compromised received a letter from the TSP board dated May 25 notifying them of the data breach and offering a free credit monitoring service for one year.
In July 2011, a breach at a TSP contractor — Serco, Inc. — compromised the data of 123,000 accounts. Most of the data accessed included social security numbers only. However, of those 123,000, about 43,000 participants had their names, addresses, social security numbers and other information — possibly bank routing numbers — also compromised,
The TSP board would have a participant's bank routing number only if the person is in a payment status, "which is more likely if you are retired," Long said.
Long emphasized that of the total 4.5 million TSP participants, the breach only affects less than 3 percent of the TSP population.
He pointed out that despite the data breach, there was no indication the data had been misused.
"Nobody lost a nickel in any of this," Long said.
Another question is why it took so long for the board to find out about the breach, which occurred in July 2011 — the board did not find out from the FBI until April of this year. Sen. Susan Collins (R-Maine) has called on the FBI to answer questions about the hack, including when the FBI knew about the breach.
That question — along with where the attack came from — is not information the TSP board has at this time, Long said.
"We don't do criminal investigations. The FBI does," he said.
He added, "My job ... once we knew about this, is to figure out how to respond, how to make sure it never happens again and figure out how to be transparent with our participants now that we've announced it."
Moving forward means taking a hard look at the board's own computer systems. Although TSP.gov was not a target in this breach, the incident was a reminder that "cyber risk is everywhere," Long said.
"While the bad guys build ladders, we're trying to build better and stronger walls everyday," he said.
The 123,000 accounts were on a single Serco computer that was a target of the cyber attack, Long said. That computer has been taken offline and scanned. The TSP board also took a "very significant look" at the entire network at that company, he said.
The board is now examining a "longer-term" solution to cybersecurity.
"That's not something you can do with bailing wire and chewing gum. We've got to put some significant thought behind how you architect the system for the future," Long said.