TSP stands for Thrift Savings Plan. This is the 401(k)-equivalent that gov't employees can utilize. It is popular.
In April of 2012, the Federal Bureau of Investigation (FBI) informed the FRTIB (FEDERAL RETIREMENT THRIFT INVESTMENT BOARD) and Serco that in July of last year, a computer belonging to Serco, a third party service provider used in support of the TSP, was subjected to an unauthorized access incident. This incident resulted in the unauthorized access to the personal information of 123,201 TSP participants and payees. When the TSP learned of the cyber attack, we took immediate steps to investigate and notify our participants and other affected individuals.
The TSP notified their customers on June 1 of 2012 of the hack that occurred on July of 2011, but they only learned about sometime in April of 2012.
So off I go to change my password and what to my wondering eyes should appear? The following constraints:
1. Contain exactly 8 characters
2. Contain both letters and numbers
3. Not match any of your last four passwords
4. Not contain special characters.
And for "security tips" they have:
1. Create words or phrases by combining letters and numbers (golf4fun)
2. Substitute letters for numbers (5 for S or 3 for E)
Screencap of password page: https://plus.google.com/photos/108320036461391153047/albums/5752480492680965105
TSP announcement: https://www.tsp.gov/whatsnew/plan/planNews.shtml#pii
I'm on a password changing kick, using 12-20 character snippets from GRC's Perfect Passwords. Needless to say, TSP choked -- and so did I.
It sounds to me like it is tied directly to an old mainframe account, but there is no excuse for this level of sloppiness.
I thought you all would find it entertaining -- or frightening if this is where you have a chunk of your retirement funds set up.