A cyber attack on a computer of a contractor for the $313 billion Thrift Savings Plan, Washington, could have compromised account information for about 123,000 plan participants, the Federal Retirement Thrift Investment Board, which oversees the plan, announced Friday.
Officials at the board stressed that the breach did not affect the TSP computers or website, and there is no evidence of identity theft or funds being diverted.
“The TSP.gov site was not accessed or compromised at all,” said board spokeswoman Kim Weaver in an interview. “It remains safe.”
The attack was made on a computer at Serco Inc., a contractor helping to update TSP's disbursement system software, and was first detected by the FBI in April.
Serco and the board performed a forensic analysis to see which TSP account holders were affected, concluding that 43,587 participants had personal information including Social Security numbers potentially compromised, and another 80,000 may have had their Social Security numbers accessed from the Serco computer. Those participants are being notified in letters mailed on Friday. The board also is setting up a support call center and credit monitoring for them.
Executive Director Greg Long said in a statement that the board is adding security measures to protect TSP data.
A Serco news release called the incident “an unfortunate reminder” that government and private company IT computers and data “are under pervasive, sophisticated attack,” noting a congressional estimate that the computer systems of Congress and the executive branch are probed or attacked an average of 1.8 billion times each month.
Calls to Serco were not returned at press time.