The U.S. Federal Retirement Thrift Investment Board (FRTIB) recently acknowledged that a breach last July of a computer at third-party service provider Serco provided attackers with access to personal information on 123,201 beneficiaries and participants in the Thrift Savings Plan for government employees, including the names, addresses and Social Security numbers of 43,587 people.
"Serco and FRTIB were alerted in April by the Federal Bureau of Investigation that one of the computers used to service TSP had been the victim of unauthorized access," writes Computerworld's John Ribeiro. "Besides shutting down the computer, FRTIB and Serco did forensic analysis to determine which people were affected, and enhanced the security, FRTIB and Serco said in separate statements. Serco confirmed that its computer had been affected."
"Serco claims that there is no evidence of any financial fraud or identity theft related to the incident, but that does beg the question... How would they know?" writes Sophos' Chester Wisniewski. "They haven't notified the victims, so if these poor folks had noticed any funny business on their credit report, why would they report it to Serco or even suspect it is related to the company?"
"FRTIB said it is sending notification letters to affected persons, providing them information on how to contact a call center set up to provide support and services such as credit montoring," writes PCWorld's John Ribeiro. "Alerts will be placed on the affected TSP accounts to monitor activity as an added precaution. "
"While the incident involved a contractor’s computer, information security is an ongoing concern for the government and has been the subject of numerous reports, congressional hearings and legislative proposals," The Washington Post's Eric Yoder notes. "According to an October 2011 report by the Government Accountability Office, federal agencies are experiencing increasing numbers of security incidents that put sensitive information at risk. The number of attacks reported by agencies to a central information security incident center increased from 5,503 in fiscal year 2006 to 41,776 incidents in fiscal year 2010, the report said."