Serco reports 123,000 US government employees' personal information stolen

Filed Under: Data loss, Privacy

Serco logoThe Guardian has called Serco "probably the biggest company you have never heard of." It's on the FTSE 100 (Big!), has 100,000 employees and operates everything from railways in the UK and Australia to driver licensing in Ontario, Canada to retirement accounts for US government employees, members of the armed forces and US Postal Service workers.

Perhaps taking advantage of the holiday weekend in the United States, Serco announced this morning that hackers had compromised systems at its Thrift Savings Plan (TSP) operation.

After extensive forensic investigation it was determined that 43,000 members' names, addresses and Social Security Numbers had been accessed by the intruders, and the Social Security Numbers of another 80,000 may have been involved.

Consistent with the findings presented in this year's Verizon Data Breach Incident Report, Serco did not even realize they were compromised until they were contacted by the FBI in April 2012.

Individuals whose information may have been accessed will receive a letter from the Federal Retirement Thrift Investment Board (FRTIB) in the coming days.

Serco claims that there is no evidence of any financial fraud or identity theft related to the incident, but that does beg the question... How would they know?

Poor Credit Rating image courtesy of ShutterstockThey haven't notified the victims, so if these poor folks had noticed any funny business on their credit report, why would they report it to Serco or even suspect it is related to the company?

As I mentioned in the article about the data breach in Utah, Social Security Numbers aren't disposable. They are a permanent identifying number that can be used to wield enormous power over victims' lives.

The other thing that bothers me about this case is that the press release from Serco makes no attempt at apologizing or admitting that it has not lived up to its responsibilities.

"It was crazy, sophisticated, relentless hackers. It happens all the time. Nothing we could do about it. They stole your personally identifiable information, but we don't think they wanted it."

Shame on you, Serco. If it weren't for the FBI having contacted you, data would still be leaking off of your network. A little data encryption goes a long way toward avoiding this type of situation.

Let us hope Serco is correct and the stolen information will not be used for nefarious purposes.

Victims of this incident should still be on the lookout for any strange activity on their credit reports and may wish to put a "security freeze" on their credit reports with the major agencies.

Update: Further information has been published that shows the original intrusion into Serco's system occurred in July 2011. Information that was accessed has been available to criminals for nearly a year before Serco was notified by the FBI.

Poor credit rating image courtesy of Shutterstock.

, , , , ,

You might like

2 Responses to Serco reports 123,000 US government employees' personal information stolen

  1. Xer · 793 days ago

    "As I mentioned in the article about the data breach in Utah, Social Security Numbers aren't disposable. They are a permanent identifying number that can be used to wield enormous power over victims' lives."

    That's exactly right. Isn't it funny, though (I mean in a non-humorous way) that people don't see that the greatest power it gives is to the entity that issues those numbers. That particular elephant in the living room is taboo as a subject of discussion. Yet, despite its ironically violent abuse of the word "security", it is ultimately the source of a massively destabilizing, highly entropic force for INsecurity.

    Oh, wait...you probably meant victims of the small-time bad guys, not the big-time, official, institutionalized, powers-that-be, masquerading-as-good-guys bad guys. My mistake.

  2. Sharp · 793 days ago

    So wait, no ID theft, or Fraud? How come the FBI came in to address this then? Something must has happened that made the FBI jump on the case since the company missed the breech entirely. I hate companies that have security breeches, and then hide information because of the negative impact it will have on the company. What's the point of the law, when the companies who are supposed to be abidding to them, are still withholding information.

    The report says " When the TSP learned of the cyber attack, we took immediate steps to investigate and notify our participants and other affected individuals" So immediate is 3 months later.

    Knowing such a huge company didn't notice the security breech for almost a year before the FBI steps in, shows this company should not be trusted with important data. My guess is this company has no plans to further look into the issue, since over a year old they probably have no logs to review, while they just now start to implement security for the system. Little too late now.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.