The Guardian has called Serco “probably the biggest company you have never heard of.” It’s on the FTSE 100 (Big!), has 100,000 employees and operates everything from railways in the UK and Australia to driver licensing in Ontario, Canada to retirement accounts for US government employees, members of the armed forces and US Postal Service workers.
Perhaps taking advantage of the holiday weekend in the United States, Serco announced this morning that hackers had compromised systems at its Thrift Savings Plan (TSP) operation.
After extensive forensic investigation it was determined that 43,000 members’ names, addresses and Social Security Numbers had been accessed by the intruders, and the Social Security Numbers of another 80,000 may have been involved.
Consistent with the findings presented in this year’s Verizon Data Breach Incident Report, Serco did not even realize they were compromised until they were contacted by the FBI in April 2012.
Individuals whose information may have been accessed will receive a letter from the Federal Retirement Thrift Investment Board (FRTIB) in the coming days.
Serco claims that there is no evidence of any financial fraud or identity theft related to the incident, but that does beg the question… How would they know?
They haven’t notified the victims, so if these poor folks had noticed any funny business on their credit report, why would they report it to Serco or even suspect it is related to the company?
As I mentioned in the article about the data breach in Utah, Social Security Numbers aren’t disposable. They are a permanent identifying number that can be used to wield enormous power over victims’ lives.
The other thing that bothers me about this case is that the press release from Serco makes no attempt at apologizing or admitting that it has not lived up to its responsibilities.
“It was crazy, sophisticated, relentless hackers. It happens all the time. Nothing we could do about it. They stole your personally identifiable information, but we don’t think they wanted it.”
Shame on you, Serco. If it weren’t for the FBI having contacted you, data would still be leaking off of your network. A little data encryption goes a long way toward avoiding this type of situation.
Let us hope Serco is correct and the stolen information will not be used for nefarious purposes.
Victims of this incident should still be on the lookout for any strange activity on their credit reports and may wish to put a “security freeze” on their credit reports with the major agencies.
Update: Further information has been published that shows the original intrusion into Serco’s system occurred in July 2011. Information that was accessed has been available to criminals for nearly a year before Serco was notified by the FBI.Follow @chetwisniewski
Poor credit rating image courtesy of Shutterstock.