Pension Hack Exposed 123,000 Accounts

What Was the Motivation Behind the Federal Attack?
Pension Hack Exposed 123,000 Accounts

A sophisticated cyberattack last summer aimed at a computer linked to the Federal Retirement Thrift Investment Board's Thrift Savings Plan is believed to have exposed personal information about as many as 123,000 pension participants.

See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach

The TSP is a retirement savings plan, similar to a 401(k) for federal employees. TSP maintains participant plans for federal employees in all branches of government, the U.S. Postal Service and members of the uniformed services.

On April 10, the Federal Bureau of Investigation notified the board and its third-party service provider Serco that it had discovered a breach of one of Serco's computers.

According to a May 25 TSP statement , the FBI, after extensive expert analysis of the breach, provided data to Serco and the board that traced the breach back to July 2011. What prompted the FBI's investigation and why it took the board so long to notify the public of the breach was not included in the statement.

The incident resulted in unauthorized access to information about TSP participants and payees. In some cases, names, addresses and Social Security numbers were exposed. In others, financial details and account routing numbers also were exposed. And for others, only Social Security numbers and TSP-related information was leaked.

Kim Weaver, spokeswoman for the Thrift Investment Board says credit monitoring and identity-theft protection services are being offered to affected accountholders. She could not say, however, how the FBI discovered the breach and why it did not notify the board until April.

"We were notified on April 10, and it took until April 13 to determine that PII (personally identifiable information) was involved," Weaver says. "From the 13th, we were working to untangle all of the information before we could notify the public."

The board says it has no evidence that the exposed information was misused. Breach notification letters are being sent to all affected pension participants. The board also says it has placed alerts on the affected accounts to ensure account activity is monitored, and it has set up a response team to conduct a system-wide review of computer security procedures. The compromised Serco computer also has been shut down.

Nature of the Incident Questioned

David Land, an IT security expert and former Cyber Counterintelligence Officer for the Oak Ridge National Laboratory and the U.S. Department of Energy, says the length and description of the attack point to something much more serious.

Many of the federal employees and service members hit by the breach likely have security clearance to highly sensitive and classified data, Land says.

"This intrusion has some very significant implications and potentially down the road ramifications," he says. "Were I to guess, this was likely a foreign-state-sponsored effort to gain intelligence and potential targeting information."

The breach should have been detected much sooner, says Kirk Nahra , a privacy expert and attorney.

"The fact that they are just finding it, nearly a year later, means they didn't do a good job of monitoring their systems," he says. "This points out a need to do a better job on that end, by catching some of these compromises faster. We can't stop them, but we can be faster to react."

Like Nahra, ID theft expert Neal O'Farrell also questions the timeline of the breach. "Why did it take so long to report?" he asks. "Who knew what was going on for those nine long months and why was the victim organization never informed?"

Nahra suggests all organizations "should be paying a lot of attention to what information they have and what they do with it, especially when outside vendors are involved."

The incident also highlights why storing or transmitting Social Security numbers is a bad idea, Nahra says. "Anytime you have a Social Security number involved in a breach, the potential implications for damage are higher," he says.

Public and private entities alike often retain too much information in numerous databases, which only increases the risk of exposure, Nahra adds.


About the Author

Tracy Kitten

Tracy Kitten

Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 20 years' experience, Kitten has covered the financial sector for the last 13 years. Before joining Information Security Media Group in 2010, where she now serves as director of global events content and executive editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network