June 3, 2012

It is a truism in Washington that if an agency or politician needs to publicize negative news, it issues a press release on Friday afternoon just as everyone is headed home for the weekend. The recently reported TSP hacking incident was certainly negative news, and TSP administrators posted their most recent update on Friday afternoon. While the posting appeared on the site at just after 3 p.m. EST, still during business hours and not quite late enough to avoid garnering any press, the timing does make one wonder. This is the second time TSP administrators issued an update on a Friday afternoon, with the initial press release coming before a three-day weekend no less.

As originally reported, the hacking incident targeted a computer used by the Reston-based contractor Serco, Inc. to support the Federal Retirement Thrift Investment Board (FRTIB) operations. According to Serco, which is “a provider of professional, technology, and management services,” the FBI “informed Serco that one of its computers used in support of the FRTIB was subjected to unauthorized access.” They were informed of the breach sometime in April 2012, according to the FRTIB and the Serco press release of the incident. “The FRTIB and Serco acted quickly and decisively to further investigate the incident, take additional steps to protect the integrity of FRTIB’s data, and ensure that FRTIB’s TSP continues to be a safe and secure retirement plan for federal employees,” according to Serco.

Not much new information was added to the June 1st posting. It repeated the basic information found in the original TSP press release, namely that “data of approximately 123,201 individuals were accessed” in the breach, and “the names, addresses, and Social Security numbers of roughly 43,000 individuals were in the accessed files.” In some of these cases, “data also included financial account numbers and routing numbers.” “Another group of roughly 80,000 had their Social Security numbers and some TSP-related information accessed, but their name was not associated with this information,” according to the information, but the posting reiterated that no one’s actual TSP account was accessed by an unauthorized person. It provided a few more specifics for those whose personal data was accessed: TSP administrators are providing Kroll Inc.’s “ID TheftSmart™ service for one year to the affected individuals.” The TSP administrators also reiterated that there was “no indication that the TSP network itself was subjected to unauthorized access. Rather, it was a Serco computer that was subject to a cyber attack.” Those whose information was compromised were notified by letters sent in late May.

The TSP website does offer one important feature that allows participants to check on each and every transaction, but this requires a participant to log in each time to check for recent transactions.

Given the recent revelations, and comparing security on other investment sites versus the tsp.gov site, I would advocate additional security measures for the TSP site, such as:

1) The ability to associate both a personal e-mail account and a phone number with one’s TSP account. This way, participants can receive automatic alerts either by e-mail or by text message them of a pending transaction (to include regular bi-weekly or monthly contribution information). While transaction requests currently require an e-mail account, any e-mail account can be used and thus is not an added security measure to verify identity but merely a means to inform the participant of completion of a transaction.

2) A personalized security image at log-in to protect against fishing attacks. Also, I would advocate the use of multiple security images with only one correct image on the screen, where the TSP account holder must select the correct one to log in.

3) And lastly, a section that provides information on when the participant last logged in to the account.

This is an opportune time for members of the FRTIB to take a comprehensive look at site security, for peace of mind of Thrift Savings Plan participants.