Serco Inc., a well-known contractor working with the U.S. government, announced that it was the target of a sophisticated attack that exposed data on 123,000 civil employees of the Federal government and their families, including names, addresses and social security numbers taken from the company’s system.

According to a press release issued Friday, the “sophisticated” breach occurred in April and affected a computer used by the company to support the Federal Retirement Thrift Investment Board, an executive branch agency. About 43,000 retirees who use the company’s Thrift Savings Plan (TSP), a kind of 401k for government employees, had their names, addresses and Social Security Numbers compromised. Around 80,000 other users may have just had their Social Security Numbers compromised, Serco said.

The company called the attack “sophisticated.” It said it was informed of the compromised system by the FBI and that the attack “fits with the increasing number of cyber attacks in which the goal of those seeking unauthorized access does not appear to include identity theft or financial misappropriation.”

Serco Inc., based in Reston, Virginia, is the U.S. subsidiary of  Serco Group, plc.  Serco provides professional and technology services to the federal government and ranks as one of the Top 30 largest Federal Prime Contractors, with approximately 9,000 employees and annual revenue of $1.4 billion.

The attack “is an unfortunate reminder that Federal government and private company IT assets, computers and data are under pervasive, sophisticated attack,” Serco said in a statement. 

Serco said that a forensic analysis of the data doesn’t suggest that the TSP network was compromised. Lacking evidence that the data stolen is being used identity theft scams, the company says it will provide support and offer fraud consultation, restoration and alert services, along with credit counseling, to customers who were victims, according to the release.

Millions of retirees were implicated in a similar breach last year after the Texas Comptroller’s Office leaked users’ social security numbers and driver’s license numbers.

Categories: Uncategorized

Comments (8)

  1. Anonymous

    and once again, we’ll bitch and moan and nothing will change…whooo hoooo

  2. Anonymous

    It seems that every organization that undergoes data theft online claims it was due to a “sophisticated” attack.  That just about explains what happened, doesn’t it?


  3. Anonymous

    Sophisticated? Yes the hacker performed the attack while sampling a fine cabernet and aged cheeses. Next time cont ake the password “ssndatabase”.

  4. Anonymous

    Would appear that the US Government should find a contractor — if they claim to be in the IT business — who can PRECLUDE ‘SOPHISTICATED’ attacks.  We do live in 2012 folks — not 1985!  Sounds like someone FAILED to think through potential security breaches, and was merely satisfied to accept government dollars for sitting on their duffs!

  5. Anonymous

    So was this a sophisticated attack or a rudimentary one?  I like the specific lack of any details of the attack, or what all was compromised, but I do appreciate how sophisticated it was.


  6. Anonymous

    If you don’t know who did the attack then stop talking about how it was Lulzsec or Anonymous or Occupy.

    It probably was sophisticated.

    Stop being smart a$$e$ who think you know details of every single data breach.

  7. david

    Those commenting are not claiming to know every single data breach detail but are  lamenting the lack of detail that has been forthcoming. The term “sophisticated” security breach seems to be  routinely used where no details are given, regardless of the nature or complexity of the breach. Another standard response is to claim that no financial losses have occurred and that there is no evidence that the information stolen will be used to access any investor accounts. Why would anyone engage in such time consuming criminal activity without a motive to illegally profit from it? I am one of the 23K who have had my personal information taken and the response of TSP has been totally inadequate. No further information has been furnished on the details of the theft and the offer of the services of a credit monitoring company for one year is hardly protective against a future attack on my accounts. 

Comments are closed.