A number of our users asked how they can find out if their personal information was compromised in the computer data breach announced by the Federal Retirement Thrift Investment Board on Friday. The FRTIB has provided some additional information to help answer some of these common questions.
One of the obvious questions plan participants ask is, how do I know if my information was compromised? The TSP web site states, “We have no reason to believe that the data has been misused. Further, we have notified all individuals whose personal information was affected. We have engaged Kroll Inc., the world’s leading risk consulting company, to provide its ID TheftSmartTM service for one year to the affected individuals. Among other features, this service offers credit consultation and continuous credit monitoring throughout the length of the service. We also have suggested steps that affected individuals can take to protect themselves. For additional information about identity theft, visit the Federal Trade Commission (FTC) website at http://www.ftc.gov/idtheft.”
So, if you were affected, you can expect to be contacted by the FRTIB shortly with additional information.
What exactly happened?
In July 2011, a computer that belongs to Serco, which is a third party service provider used in support of the TSP, was hacked which resulted in the unauthorized access to files containing personal data of approximately 123,000 TSP participants and payees. The FBI informed the FRTIB and Serco of the incident last month.
The personal data that were accessed consisted of several files of varying personal data of approximately 123,201 individuals. Of that number, about 43,000 individuals’ Social Security numbers were in the files that were accessed, and another group of approximately 80,000 individuals had their Social Security numbers and some TSP related information accessed, however their names were not associated with this particular information.
The FRTIB also stated that the tsp.gov web site is indeed safe to use and was not compromised. It was only the computer at the third party vendor which suffered the attack.