Computer security breach at Serco affects 123,000 Thrift Savings Plan participants
Hazel Bradford reports:
A cyber attack on a computer of a contractor for the $313 billion Thrift Savings Plan, Washington, could have compromised account information for about 123,000 plan participants, the Federal Retirement Thrift Investment Board, which oversees the plan, announced Friday.[…]
The attack was made on a computer at Serco Inc., a contractor helping to update TSP’s disbursement system software, and was first detected by the FBI in April.
Serco and the board performed a forensic analysis to see which TSP account holders were affected, concluding that 43,587 participants had personal information including Social Security numbers potentially compromised, and another 80,000 may have had their Social Security numbers accessed from the Serco computer. Those participants are being notified in letters mailed on Friday.
Read more on Pensions & Investments.
A statement posted on Serco’s site today says:
Serco Inc., a provider of professional, technology, and management services, announced today that one of its computers used in support of the Federal Retirement Thrift Investment Board (FRTIB) was subjected to a sophisticated cyber attack. The cyber attack potentially affected the personal information of approximately 123,000 Thrift Savings Plan (TSP) participants or other recipients of TSP payments.
There is no evidence of any funds being diverted or identity theft resulting from the incident. An extensive forensic analysis of the data also shows no indication that the TSP network, which supports TSP’s 4.5 million participants, was subjected to unauthorized access. Approximately 43,000 individuals had their personal information including name, address and Social Security number potentially compromised. An additional 80,000 may have had their social security numbers compromised but there is no indication that additional identifying information was also included with those particular individuals.
In April 2012, the Federal Bureau of Investigation (FBI) informed Serco that one of its computers used in support of the FRTIB was subjected to unauthorized access. The FRTIB and Serco acted quickly and decisively to further investigate the incident, take additional steps to protect the integrity of FRTIB’s data, and ensure that FRTIB’s TSP continues to be a safe and secure retirement plan for federal employees.
FRTIB and Serco performed forensic analysis to determine which TSP participants and payees were possibly affected and the extent of the possible compromise of data. Steps taken included an immediate shut down of the compromised computer, launch of a task force involving both Serco and FRTIB senior executives to focus all capabilities and resources in a coordinated system-wide review of the protection of data, and fortification of the security systems.
FRTIB will be sending notification letters today to all TSP participants and payees who may have been affected, providing them information on contacting a call center established to provide support and to offer services such as fraud consultation, fraud restoration, fraud alert services and credit counseling.
“Serco regrets this incident and the inconvenience it may cause to some Thrift Savings Plan participants and payees whose personal data was involved. We have fortified our information security measures and cyber defenses. We are committed to supporting the FRTIB in its mission of providing world-class retirement management solutions for current and former federal employees, members of the uniformed services, and their families,” said Ed Casey, Chairman and Chief Executive Officer of Serco Inc.
The FBI supplied data to Serco and the FRTIB that required extensive IT security expert analysis in order to determine which TSP members were potentially affected. The analysis required opening and reviewing thousands of files in order to determine what personal information might be at risk and the identity of the potentially affected individuals, as well as taking further actions to determine the scope of the incident.
This incident fits with the increasing number of cyber attacks in which the goal of those seeking unauthorized access does not appear to include identity theft or financial misappropriation. It is an unfortunate reminder that Federal government and private company IT assets, computers and data are under pervasive, sophisticated attack. According to the U.S. Senate’s Sergeant at Arms, the computer systems of the government’s Executive Branch agencies and the Congress were probed or attacked an average of 1.8 billion times per month. The head of the U.S. Cyber Command for the Department of Defense said cyber threats are growing and that DoD computers were subjected to 6 million cyber attacks each day.
About Serco Inc.: Serco Inc. is a leading provider of professional, technology, and management services focused on the federal government. We advise, design, integrate, and deliver solutions that transform how clients achieve their missions. Our customer-first approach, robust portfolio of services, and global experience enable us to respond with solutions that achieve outcomes with value. Headquartered in Reston, Virginia, Serco Inc. has approximately 9,000 employees, annual revenue of $1.4 billion, and is ranked in the Top 30 of the largest Federal Prime Contractors by Washington Technology. Serco Inc. is a wholly-owned subsidiary of Serco Group plc, a $7 billion international business that helps transform government and public services around the world. More information about Serco Inc. can be found at www.serco-na.com.
Not surprisingly, it doesn’t really say anything about the attack itself, nor when the attack occurred. At some point, Serco will need to explain why it didn’t detect the attack via its own measures or audits if it diddn’t prevent it.
Update: MyFox Detroit has some additional details, including a statement that the attack occurred last July.