Over 120,000 federal employees had their personal information stolen from their Thrift Savings Plan (TSP) accounts.  The TSP is a 401(k) type of retirement fund used by active and retired federal employees and members of the military.  This story was reported on Saturday (A2, The Washington Post).

So here’s the terrible news in case you missed it.   The hacking happened last July (!!) but it’s unknown when it was discovered. The FBI found out about it (unknown just when) and alerted the TSP and the affected contractor last month.  The FBI says it’s still investigating the breach.

Here’s the bad news in a nutshell:

  • Hackers got into the computers of the contractor, Serco, that handles the TSP accounts.
  • They stole the SSNs from 123,201 accounts.
  • Out of those 123,201 affected accounts, about 79,600 accounts had only “some” TSP-related information stolen.
  • However, the remaining 40,000+ accounts also had names, addresses and, in some cases, financial account and routing numbers stolen.
  • Serco and the FBI shut down the hacked computer.
  • Serco began a review of the TSP security procedures and strengthened the security protections.

What else is TSP saying and doing?

  • TSP says it’s monitoring the hacked accounts for any suspicious activity.
  • They said there’s “no reason” to belief that the personal information’s been used for criminal purposes.
  • It took TSP more than a month to start alerting the affected people because they said they needed to cross-match the information the FBI provided about the hacking to the files to identify which accounts were hacked and what personal information was stolen.
  • Letters are going out to the people whose accounts were hacked.
  • The letters will tell recipients how to contact a call center that’s been established to provide information about services TSP is offering that include credit monitoring.

So what should you do — right now and if you get a letter?

  • Look at your TSP account right now just to make sure it’s intact.
  • Call the TSP call center immediately if you get the letter.
  • Take the credit monitoring.  Make sure to ask whether the credit monitoring service being offered will notify the other credit monitoring agencies.   You want to make sure that all 3 credit monitoring agencies are on the alert.

Finally, keep on the alert for any potential misuses of your personal information.  Yes, the hacking happened last July but hackers can and do keep using stolen information for as long as they can.