For the second time in less than a year, the Federal Office of Personnel Management (OPM) has experienced a significant government data breach. In this go-round, it is believed that the data of nearly 4 million past and current federal workers were compromised. This is a staggering number, and an even greater disaster. The data at risk includes “personally identifiable information” (PII) such as people’s names, Social Security numbers, dates and places of birth, and current and former addresses.
In a separate, but related breach in which hackers gained access to information on military personnel seeking security clearances, data thieves may also have accessed information about job assignments, performance ratings and training information, applicants’ financial histories and investment records, children’s and relatives’ names, foreign trips taken and contacts with foreign nationals, past residences and names of neighbors and close friends. Pretty much everything a foreign spy agency would need to compromise national security.
Early speculation placed the blame for the attack on China, but there has been no official confirmation of that. And the bigger question is, how much does that even matter? The lesson to be learned from this isn’t that we need to place sanctions on China, as Obama is reportedly considering, but that we need to continue to improve what WE are doing to stop these breaches. Consider that in 2006, according to a recent Government Accountability Office report, there were 5,503 information security incidents and in 2014, there were 67,168. Clearly, we haven’t learned fast enough!
Within the last year, the OPM has worked to update its cybersecurity defense methods, adding numerous tools and capabilities to its networks. The good news is that this new technology allowed OPM to detect the latest cyber-intrusion, which took place before the adoption of the tougher security controls. The office “immediately implemented additional security measures to protect the sensitive information it manages” and said it would notify people affected between June 8 and June 19. (Ironically, this is outside the 30 day window that President Obama proposed companies should act within to tell people if their data has been hacked in a speech in January.)
But as Rep. Adam B. Schiff (Calif.), ranking Democrat on the House Intelligence Committee, said:
“This latest intrusion . . . is among the most shocking because Americans may expect that federal computer networks are maintained with state-of-the-art defenses,” he said. “The cyberthreat from hackers, criminals, terrorists and state actors is one of the greatest challenges we face on a daily basis, and it’s clear that a substantial improvement in our cyber databases and defenses is perilously overdue.”
There has been a debate over whether the information was targeted for financial gain or to bolster attempts to steal intellectual property. One thought is that personal information could be useful in crafting “spear-phishing” e-mails, which are designed to fool recipients into opening a link or an attachment so that the hacker can gain access to computer systems. Using the stolen OPM data, for instance, a hacker might send a fake e-mail purporting to be from a colleague at work.
Along with listing specific agencies victims may contact, OPM.gov offers these tips on how to avoid being a victim:
- Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.
- Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person’s authority to have the information.
- Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.
- Do not send sensitive information over the Internet before checking a website’s security (for more information, see Protecting Your Privacy, http://www.us-cert.gov/ncas/tips/ST04-013).
- Pay attention to the URL of a website. Use the hover technique to verify legitimacy. Malicious websites may look identical to a legitimate site, but the URL may vary in spelling or a different domain (e.g., .com vs. .net).
- If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information. Information about known phishing attacks is also available online from groups such as the Anti-Phishing Working Group (http://www.antiphishing.org).
- Install and maintain anti-virus software, firewalls, and email filters to reduce some of this traffic (for more information, see Understanding Firewalls, http://www.us-cert.gov/ncas/tips/ST04-004; Understanding Anti-Virus Software, http://www.us-cert.gov/ncas/tips/ST04-005; and Reducing Spam, http://www.us-cert.gov/ncas/tips/ST04-007).
- Take advantage of any anti-phishing features offered by your email client and web browser.
Employees should take steps to monitor their personally identifiable information and report any suspected instances of identity theft to the FBI’s Internet Crime Complaint Center at www.ic3.gov.
- Monitor financial account statements and immediately report any suspicious or unusual activity to financial institutions.
- Request a free credit report at www.AnnualCreditReport.com (external link) or by calling 1-877-322-8228. Consumers are entitled by law to one free credit report per year from each of the three major credit bureaus – Equifax®, Experian®, and TransUnion® – for a total of three reports every year. Contact information for the credit bureaus can be found on the Federal Trade Commission (FTC) website, www.ftc.gov (external link).
- Consider freezing your credit.
John Sileo is an an award-winning author and keynote speaker on identity theft, cyber security, fraud training & social engineering. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.