TSP Board withholding results of security review prompted by 2011 hacking attack


Last year, following the disclosure that 123,000 Thrift Savings Plan accounts had been hacked, the Federal Retirement Thrift Investment Board launched a wide-ranging assessment of its computer system security.

That “Tiger Team” task force review is now complete, but the board isn’t making the findings public.

Instead, the agency is withholding the entire report on the grounds that disclosure “could reasonably be expected to risk circumvention of the law,”  Amanda Haas, a Freedom of Information Act officer with the board, said in a response today to Federal Times’ FOIA request. Haas did not immediately reply to a request for more information on why the board is claiming that particular exemption to the act’s requirement that government records are generally public.

The board began the review after learning early last year that Social Security numbers, addresses and other personal data for the 123,000 account-holders had been stolen from a contractor’s network. The cyberattack actually occurred in 2011, but board officials didn’t learn about it until getting notification from the FBI. The bureau has not announced arrests or charges in the case.

The Tiger Team review was in part intended to identify any computer security gaps and come up with ways to fix them, Greg Long, the thrift board’s executive director, told a Senate subcommittee last July.  Long made no mention of law enforcement issues, but acknowledged that–at the time of the attack–the board didn’t have a “breach notification plan” because it lacked the resources to develop one. (Long signed such a plan in June 2012.)

The TSP has some 4.6 million participants, including military personnel, civilian agency employees and U.S. Postal Service workers.

Scott Hodes, a lawyer who was once acting chief of the FBI’s FOIA litigation unit, was not familiar with the report, but said in an interview that the board has to establish a threshold to legally withhold information under the FOIA law enforcement exemption. Even then, parts of the report that don’t meet that threshold must be released, Hodes said.

“They can’t withhold everything.”


About Author


  1. Kind of makes me wonder what kind of individuals are monitoring the IT security of government systems and the data that is shared with government contractors. I got a letter just last week from another agency saying that my personally identifiable information may have been compromised and they offered me credit monitoring.

    When I called to sign up and ask what happened they told me they think that a database supporting an “executive” website may have been exposed. I was also told that mine wasn’t the only information compromised.

  2. Why on earth would anyone be worried about some hacker gaining access to their TSP account when we have literally one of the most crooked, corrupt and vile administrations in history, anchored with an equally vile, corrpupt and inept congress???
    These two entities pose a far greater threat to all TSP account holders than some hacker out there.

  3. I experienced fraud that year for income tax. The slime that stole it had all my personal information; name, address, social #. Now i know how they got it! Hmmm – I want to know who it was that did it! I know they caught them, the transaction was traced from IRS to the debit card. IRS is bleeding money because they just send these frauds the money without checking.

Leave A Reply