DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Computer security breach at Serco affects 123,000 Thrift Savings Plan participants

Posted on May 25, 2012 by Dissent

Hazel Bradford reports:

A cyber attack on a computer of a contractor for the $313 billion Thrift Savings Plan, Washington, could have compromised account information for about 123,000 plan participants, the Federal Retirement Thrift Investment Board, which oversees the plan, announced Friday.

[…]

The attack was made on a computer at Serco Inc., a contractor helping to update TSP’s disbursement system software, and was first detected by the FBI in April.

Serco and the board performed a forensic analysis to see which TSP account holders were affected, concluding that 43,587 participants had personal information including Social Security numbers potentially compromised, and another 80,000 may have had their Social Security numbers accessed from the Serco computer. Those participants are being notified in letters mailed on Friday.

Read more on Pensions & Investments.

A statement posted on Serco’s site today says:

Serco Inc., a provider of professional, technology, and management services, announced today that one of its computers used in support of the Federal Retirement Thrift Investment Board (FRTIB) was subjected to a sophisticated cyber attack. The cyber attack potentially affected the personal information of approximately 123,000 Thrift Savings Plan (TSP) participants or other recipients of TSP payments.

There is no evidence of any funds being diverted or identity theft resulting from the incident. An extensive forensic analysis of the data also shows no indication that the TSP network, which supports TSP’s 4.5 million participants, was subjected to unauthorized access. Approximately 43,000 individuals had their personal information including name, address and Social Security number potentially compromised. An additional 80,000 may have had their social security numbers compromised but there is no indication that additional identifying information was also included with those particular individuals.

In April 2012, the Federal Bureau of Investigation (FBI) informed Serco that one of its computers used in support of the FRTIB was subjected to unauthorized access. The FRTIB and Serco acted quickly and decisively to further investigate the incident, take additional steps to protect the integrity of FRTIB’s data, and ensure that FRTIB’s TSP continues to be a safe and secure retirement plan for federal employees.

FRTIB and Serco performed forensic analysis to determine which TSP participants and payees were possibly affected and the extent of the possible compromise of data. Steps taken included an immediate shut down of the compromised computer, launch of a task force involving both Serco and FRTIB senior executives to focus all capabilities and resources in a coordinated system-wide review of the protection of data, and fortification of the security systems.

FRTIB will be sending notification letters today to all TSP participants and payees who may have been affected, providing them information on contacting a call center established to provide support and to offer services such as fraud consultation, fraud restoration, fraud alert services and credit counseling.

“Serco regrets this incident and the inconvenience it may cause to some Thrift Savings Plan participants and payees whose personal data was involved. We have fortified our information security measures and cyber defenses. We are committed to supporting the FRTIB in its mission of providing world-class retirement management solutions for current and former federal employees, members of the uniformed services, and their families,” said Ed Casey, Chairman and Chief Executive Officer of Serco Inc.

The FBI supplied data to Serco and the FRTIB that required extensive IT security expert analysis in order to determine which TSP members were potentially affected. The analysis required opening and reviewing thousands of files in order to determine what personal information might be at risk and the identity of the potentially affected individuals, as well as taking further actions to determine the scope of the incident.

This incident fits with the increasing number of cyber attacks in which the goal of those seeking unauthorized access does not appear to include identity theft or financial misappropriation. It is an unfortunate reminder that Federal government and private company IT assets, computers and data are under pervasive, sophisticated attack. According to the U.S. Senate’s Sergeant at Arms, the computer systems of the government’s Executive Branch agencies and the Congress were probed or attacked an average of 1.8 billion times per month. The head of the U.S. Cyber Command for the Department of Defense said cyber threats are growing and that DoD computers were subjected to 6 million cyber attacks each day.

About Serco Inc.: Serco Inc. is a leading provider of professional, technology, and management services focused on the federal government. We advise, design, integrate, and deliver solutions that transform how clients achieve their missions. Our customer-first approach, robust portfolio of services, and global experience enable us to respond with solutions that achieve outcomes with value. Headquartered in Reston, Virginia, Serco Inc. has approximately 9,000 employees, annual revenue of $1.4 billion, and is ranked in the Top 30 of the largest Federal Prime Contractors by Washington Technology. Serco Inc. is a wholly-owned subsidiary of Serco Group plc, a $7 billion international business that helps transform government and public services around the world. More information about Serco Inc. can be found at www.serco-na.com.

Not surprisingly, it doesn’t really say anything about the attack itself, nor when the attack occurred. At some point, Serco will need to explain why it didn’t detect the attack via its own measures or audits if it diddn’t prevent it.

Update: MyFox Detroit has some additional details, including a statement that the attack occurred last July.

Related posts:

  • TSP head expresses regret over cyberattack
Category: Breach IncidentsBusiness SectorHackOf NoteU.S.

Post navigation

← GA: Phoebe Putney Memorial Hospital notifying home health patients their data may have been stolen for tax fraud
Was it or wasn’t it hacked: conflicting reports on a possible bank hack →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Kansas City Man Pleads Guilty for Hacking a Non-Profit
  • British national “IntelBroker” charged with causing $25 million in damages; U.S. seeks his extradition from France
  • France issues press statement about arrest of ShinyHunters members
  • Patients Allege Home Delivery Pharmacy Failed to Timely Notify Them of Data Breach
  • Hackers breach Norwegian dam, open valve at full capacity
  • Patient death at London hospital linked to cyber attack on NHS
  • ShinyHunters and team members arrested in France (2)
  • Texas Enacts Liability Shield From Punitive Damages for Certain Small Businesses That Adopt Cybersecurity Programs
  • Dublin ETB fined €125,000 for data protection breaches
  • From $5,000 to $800,000: Days Apart, OCR Security Settlements Show Puzzling Math

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • How Internet of Things devices affect your privacy – even when they’re not yours
  • Sky Views Personal Data as a Potential Weapon in IPTV Piracy War
  • Florida Used a Nationwide Surveillance Camera Network 250 Times To Aid in Immigration Arrests
  • Federal Court Strikes Down HIPAA Reproductive Health Care Privacy Rule
  • The Markup caught 4 more states sharing personal health data with Big Tech
  • Privacy in the Big Sky State: Montana’s Consumer Privacy Law Gets Amended
  • UK Passes Data Use and Access Regulation Bill

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.