Officials from the Federal Retirement Thrift Investment Board (FRTIB) came forward to disclose that one of its third-party service providers had suffered a cyberattack that ultimately exposed the personal information of more than 120,000 federal employees to unauthorized viewers. But as more details emerge regarding the timeline of events, it appears as though affected workers have been operating without knowledge of the breach for nearly a year.
The Thrift Savings Plan (TSP) is a 401(k)-style retirement planning program utilized by employees across the public sector – including senators, military members and intelligence community leaders. In a statement issued on May 25, FRTIB officials revealed that a computer belonging to professional services contractor Serco "suffered a sophisticated cyberattack" that exposed the records of approximately 123,000 TSP participants.
Upon detection of the data security threat, administrators immediately took the infected machine offline and followed standard protocol by bringing in federal computer forensics experts to conduct a thorough analysis. As a result, the FRTIB has insisted that it is highly unlikely that employee information has been abused in any meaningful way.
"We sincerely regret that this event occurred and we will provide assistance and support to the affected individuals through a call center and credit monitoring," FRTIB executive director Greg Long stated. "We are working with Serco and other security experts to ensure that TSP data is protected and secure."
What this released neglected to mention, however, was the full sequence of events underlying the regrettable incident.
According to the Washington Post, the cyberattack actually occurred in July 2011. Conspicuously enough, the FBI learned of the breach, but did not notify Serco, until April 2012. Then, another six weeks elapsed before TSP administrators publicly disclosed the incident and mailed notification letters to affected employees.
Senator Susan Collins, a ranking member of the Homeland Security and Governmental Affairs Committee, which oversees the TSP, is now demanding answers on behalf of a wide variety of stakeholders. According to the Post, Collins is looking for a clear timetable on when the lapse in data security was first assessed and is asking stern questions as to why Congress was not notified sooner and involved in the resolution process.
"We wanted to be able to inform the affected individuals as quickly as we could without unnecessarily scaring the vast majority of our participants who are unaffected," TSP external affairs coordinator Kim Weaver explained in a statement emailed to the newspaper.
In a separate conversation with Government Executive, Weaver went on to assert that the incident should not shake confidence in third-party service providers. Given the sophistication of the cyberthreat landscape, she found fault with the assumption that any one class of organization is inherently better prepared than another. Instead, she underscored the fact that both public- and private-sector data protection teams must be in a state of constant evolution.
Nevertheless, concerns are being raised that the breach may have been a component of a more sinister plot and not just an isolated incident. According to the NextGov, the fact that hackers have obtained thousands of Social Security numbers, yet no incidents of identity fraud or financial improprieties have been reported, is a clear indicator that other motives are in play.
"[Advanced persistent threats] are no longer the monopolies of [cybercriminal] regimes," Trend Micro vice president Tom Kellerman told NextGov. "Criminals are fully aware that even if they have no use for those systems they can sell those systems in the shadow community."
Serco's status as a government contractor with ties to nearly a dozen federal agencies has also reignited concerns that foreign hackers may be seeking an entrance into networks that ultimately enables them to steal American intellectual property.
Data Security News from SimplySecurity.com by Trend Micro