The OPM Data Breach – What To Do Now and In the Future to Protect Ourselves
Background on the Office of Personnel Management Data Breach
The initially reported OPM data breach reported in June, 2015 includes all individuals who are currently federal employees, are retired federal employees, serve in the military. The later announcements expanded the number of people affected to include everyone who has an active security clearance, has held a security clearance held in the past few years or applied for one and filled out an SF86 form.
That means that if you have worked for the government in a civilian or military capacity, the Chinese have your personally identifiable information, plus all the incriminating personal information on your SF 86 form.
Furthermore, if you work for a defense contractor like Lockheed Martin or Boeing and have held a security clearance from the confidential to top secret level, the Chinese have all of your personally identifiable information and any incriminating information in your SF 86 form.
What You Can Personally Do About the Federal Records Data Breach
The OPM sent messages to the roughly four million people whose personally identifiable information was hacked from 6/4/15 to 6/19/15, due to malicious software that was discovered by a third party IT security tool demonstration.
You can go to the site Csid.com/opm or call 1-844-222-2743 to sign up for the CSID protector plus plan for 18 months.
What If I Didn't Get an Email from CSID on the Data Breach?
Unfortunately, many people were sent this message as part of a mass message, and it then landed in their spam folders. Check your spam folder if you haven’t seen the message, as well as older email accounts, if the email address in your SF86 form or security paperwork is several years old.
If the OPM did not have an email address for the person, a physical letter was sent via USPS. One fluke of these letters that I personally experienced is that they do not always use the correct combination of name and address. In my case, I received the letter at my current address but with my maiden name. Many people did not receive the letter because it was sent to an old address and never forwarded or thrown out because it was not addressed to the current resident.
What You Can Personally Do to Protect Yourself after the OPM Data Breach
Monitor your financial reports for suspicious activity. Check the credit reports for spouses whose Social Security Numbers were included on the SF86 form.
Request a free credit report at annualcreditreport.com or call 1-877-322-8228 to request one.
You can put a fraud alert on your credit record by calling Transunion at 1-800-680-7289; Transunion will relay the alert to the other credit reporting agencies
Be careful of suspicious phone calls, visits or emails. Never simply reply to an email except from the CSID about the data breach.
Don’t provide information about your company, even if the message appears to come from your company. Many defense contractors are using internet websites to discuss what to do about the Office of Personnel Management data breach, not sending messages to their employees’ personal email accounts.
Double check the URL you are using when signing up for a credit report, reporting identity theft and checking your credit score.
Sign up for identity theft protection services like Zander Insurance. This is an option for those whose information was stolen in the U.S. Office of Personnel Management data breach, as long as you don’t have clear evidence that identity theft is already occurring. If someone has already started opening credit cards in your name, it is too late to get identity theft protection.
You can also request a credit freeze or security freeze, which makes it very difficult for someone to open a new account in your name. This won’t prevent you from requesting your free annual credit report but could add to the work load when you apply for a job that runs a credit check, open new utility accounts, submit an application to rent an apartment and get a credit check run in the process. In these cases, you’ll need to contact the credit reporting agency to temporarily lift the freeze, each time giving the PIN number that you received when the account was frozen.
What If You Think Your Identity Is Already Compromised per the OPM Data Breach?
The government is advising people to report suspected identity theft to the FBI internet crime complaint center at www.ic3.gov.
If you have an active security clearance, also report suspected identity theft to the security contact of the program you are working on.
Consider putting a fraud alert on your credit report. Requesting a fraud alert with one credit reporting company will eventually get the other credit reporting agencies to place the fraud alert on their reports as well. You can also contact all three credit reporting agencies to put a fraud alert on your credit report, so that the protective measure is in place faster.
What We Can Do Long Term About the Data Breach?
First and foremost, require that all IT work for the government be done by American citizens resident in the United States. The U.S. Office of Personnel Management data breach was most likely the result of Chinese contractors working for the government on contract. IT service outsourcing should be limited to businesses and personnel located in the US with American citizenship to reduce the risk that those with access to our most sensitive information are not beholden to a foreign government. This applies to outsourcing by companies like CSC to Indian and European tech support, Tata Consultancy and any firm using HB-1 visa holders.
There is no STEM shortage preventing companies from finding qualified Americans to do this work. That is only an excuse for companies to lay off mid-career Americans and bring in foreign workers, as well as outsource to foreign firms that have lower labor costs.
Second, we can require the government to follow its own polices and best practices. The database with personally identifiable information should have been encrypted and access controlled via multi-factor authentication. It wasn’t, which made it that much easier to be accessed and potentially misused.
Third, the federal government needs to stop playing the dance of the lemons. When the Obamacare website rollout was a disaster, the IRS still hired them for a four and a half million dollar new contract in 2014. When data breaches, unlawful snooping of records and other massive failures occur, those responsible for the breach and their management should be terminated, banned from ever holding another position with the federal government again. Instead, they get demoted and shuffled off to a different job. For companies with a track record of failure like CGI, the company should be blacklisted from federal work and removed from existing contracts as quickly as possible.
More by this Author
ISO 27002 provides a list of hundreds of controls for IT security as recommended by ISO 27001. What does ISO Std 27002 say?
Which apps are the greatest risks to your IT security?
What are the primary types of process improvement projects in IT?