Fedline

Federal Times Blogs

TSP Board withholding results of security review prompted by 2011 hacking attack

Bookmark and Share

Last year, following the disclosure that 123,000 Thrift Savings Plan accounts had been hacked, the Federal Retirement Thrift Investment Board launched a wide-ranging assessment of its computer system security.

That “Tiger Team” task force review is now complete, but the board isn’t making the findings public.

Instead, the agency is withholding the entire report on the grounds that disclosure “could reasonably be expected to risk circumvention of the law,”  Amanda Haas, a Freedom of Information Act officer with the board, said in a response today to Federal Times’ FOIA request. Haas did not immediately reply to a request for more information on why the board is claiming that particular exemption to the act’s requirement that government records are generally public.

The board began the review after learning early last year that Social Security numbers, addresses and other personal data for the 123,000 account-holders had been stolen from a contractor’s network. The cyberattack actually occurred in 2011, but board officials didn’t learn about it until getting notification from the FBI. The bureau has not announced arrests or charges in the case.

The Tiger Team review was in part intended to identify any computer security gaps and come up with ways to fix them, Greg Long, the thrift board’s executive director, told a Senate subcommittee last July.  Long made no mention of law enforcement issues, but acknowledged that–at the time of the attack–the board didn’t have a “breach notification plan” because it lacked the resources to develop one. (Long signed such a plan in June 2012.)

The TSP has some 4.6 million participants, including military personnel, civilian agency employees and U.S. Postal Service workers.

Scott Hodes, a lawyer who was once acting chief of the FBI’s FOIA litigation unit, was not familiar with the report, but said in an interview that the board has to establish a threshold to legally withhold information under the FOIA law enforcement exemption. Even then, parts of the report that don’t meet that threshold must be released, Hodes said.

“They can’t withhold everything.”

Tags: , , ,