Sen. Susan Collins, R-Maine, is asking the FBI and the Federal Retirement Thrift Investment Board why they took so long to report a sophisticated cyberattack that exposed the Social Security numbers and other personal information of 123,201 Thrift Savings Plan participants.
A desktop computer at a Northern Virginia TSP data center operated by Serco Inc. was hacked in July, but the FBI did not tell the TSP board about it until April 11. The FBI refused to tell Federal Times when it found out about the attack, or why it took nine months to notify TSP officials and Serco.
The board reported the attack to the Senate Homeland Security and Governmental Affairs Committee, on which Collins is the ranking Republican, on May 25, the same day it announced the hacking to the media.
Collins sent a letter to FBI Director Robert Mueller asking when the FBI learned about the attack and how it was discovered, why it delayed reporting the attack to the board, and why it did not tell Congress about the attack in April. In a second letter, to FRTIB Executive Director Greg Long, Collins asked why the board did not tell Congress about the breach.
In an interview with Federal Times Tuesday, FRTIB external affairs director Kim Weaver said the data the FBI provided in April was unreadable at first, and that it took five weeks to straighten the data out and figure out exactly whose information had been compromised.
“We had some data that was just strings of numbers,” Weaver said. “You couldn’t tell what was a Social Security number, what was the day of the month, what was a payment amount, so it took quite a bit of time to get the data into a format where we could figure out the information.”
When asked why TSP did not tell all of its participants about the breach right away, before it had figured out who was affected, Weaver said, “That would be a nice way to scare … 4 million people.”
“It was not a good thing, and we’re not happy about it,” Weaver said. “But it’s 2 percent of our population [that was affected]. To scare all of them would not be a smart move, in our estimation.”
Weaver said the board mailed letters to affected employees May 25, and that most of those letters should arrive May 29. The FRTIB said there is no indication that the exposed data has been misused, but it is offering free credit monitoring to affected participants.
Weaver said the board has received Collins’ letter and is preparing a response.