10 Steps to take after Cyber Security breach at the OPM
During the first week of June, news of another cyber security hack was reported. This time the Office of Personnel Management (OPM) was hacked and exposed private information on 4 million current and former federal employees. Now this is a massive hacking incident because the OPM handles security clearances and employee records for the federal government, and the breach potentially included personally identifiable information which presumably could include Social Security numbers, dates of birth, addresses, credit card data, banking records, and other forms of financial information.
What’s really disturbing is that it is believed that the Social Security Numbers were not encrypted, which is a cyber security failure that is absolutely indefensible and outrageous given the importance of protecting our social security number in general. Really, if personnel offices take such minimal steps to guard data that can cause havoc for their employees, what are we to do? The fact is, the federal workforce should be worried. But in reality, everyone needs to be worried. Many companies in the private sector are also particularly bad at protecting employee data and these type of breaches happen routinely in the private sector.
Also disturbing is that it was reported in the Wall Street Journal that the breach was actually discovered during a sales demonstration by a security company showing the OPM its forensic products. This just demonstrates that there are many security products out there and one product may find vulnerabilities that other products don’t. That’s why I tout using various security products to protect your home IT equipment.
I grew up around the Washington D.C. area where various Federal agencies are located and I also work in the defense Industry. Thus I know quite a few people who are affected by this hack. There is a question about whether security clearances were part of the breach. If they were, the breach could be more far reaching as this would also then include information on references that have been provided by potential employees, such as contact information and professional references on multiple personnel. I am sure many people in the Washington DC area were listed as references by their friends, family members, and neighbors who were seeking federal employment thus information provided on them on security clearance forms may also be included in this breach.
Now the media, including big names like the Washington Post and Wall Street journal reported that the Chinese hackers were responsible for the breach. The federal government and the executive office will not officially blaming the Chinese without concrete proof. Why would the Chinese want personal data on federal employee? I suspect they would like to know all the information on employees who have applied for top secret clearances. The personal details can be used for blackmail, and for composing emails designed to appear legitimate while used to inject spyware on government networks or businesses. Imagine if someone had 780 separate pieces of information about you, they could use this information to try to manipulate you into providing more details of yourself to compromise or steal your identity. If the hackers gained access to the so called SF-86 forms, documents used for conducting background checks for security clearances, the damage could be greater, as it would include more sensitive information which adversaries would look to take advantage of such as contacts with foreign nationals, drug use and financial issues, and other sensitive details.
A new article came out indicating the OPM is paying $20 Million to an identity theft protection company to start notifying individuals affected. OPM is now currently in the process of contacting the approximately 4 million current and federal employees whose personal information may have been exposed. The OPM said it would be offering credit report access, credit monitoring and identify theft insurance and recovery services. The government said it will pay for credit monitoring and identity theft insurance for 18 months to those affected. Obviously, 18 months is nothing if your data has been breached. Lifetime credit monitoring would be warranted, but obviously that comes at a cost.
The irony is, when affect employees gets an email from a strange outside company that indicates that their Personally Identifying Information (PII) may have been compromised, I would definitely question the validity of that email before providing any information to that company. I would definitely check with the federal agency’s Chief Information Office (CIO) to validate the email and company and then would also check with the specified company’s website (by typing the company’s URL in your web browser, and NOT by clicking on any link in the email). From my sources, the company contracted by OPM is Winvale, which is a reseller of a brand of fraud protection services OPM is providing called CSID. Information on the OPM data breach can be found here: csid.com/opm/
Here are ten steps that Federal employees or anyone who has been victim of a theft of personal information should take to protect their identity from compromise:
- Monitor your bank, credit card, investment, and other financial accounts. Determine if it is possible to put additional verbal passwords to your accounts that don’t involve any information that can be gathered through public records. The key is to determine if there are additional security measures that can be put on your account to prevent access to your accounts for wire transfers or changing any information on your account without this required password.
- Look into putting a credit freeze on your credit file at the credit bureaus. It’s almost come to the point where everyone should consider having their credit files frozen so that someone can’t open new accounts in their name. It may cost a $5 or so to freeze and unfreeze your credit file when you apply for a loan or rent a new place to live, but this prevents anyone from opening a new account with your name. For more information on credit freezes, Brian Krebs, an excellent security journalist, has written an excellent blog post concerning credit freezes titled “How I Learned to Stop Worrying and Embrace the Security Freeze”.
- Consider paying for identity theft protection. You’re looking for the kind that can alert you to any underground use of your Social Security number, credit card numbers, driver’s license number or email. Identify theft protection services really comes down to the assessment of your risk of having your identify compromised, and the amount of work you are willing to do yourself to protect your identity compared to paying a company for these services. I will conduct some research on identify theft protection services and discuss in a future post.
- Follow good password creation as Christina mentioned in her previous blog post on password security.
- Watch out for suspicious emails or phone calls that try to trick you into disclosing personal information. As I mentioned above, if someone has your private information, than can easily craft an email to trick you into providing more information or access to your network accounts. Also, criminals are also aware of the massive breach and will prey on the affected federal workforce to try to scam them into clicking on links or providing more personal information. As I mentioned in my previous blog post, if you receive an unsolicited phone call concerning the data breach, just hang up.
- Be cautious on Social Media. If anyone has personal information about you, it can be easy for them to try to befriend you on social media sites like Facebook or Linked In, specifying that they knew you from high school, or knew you from your hometown. Be cautious on who you allow to be part of your social media community and what information you share, especially if you use personal information such as your pets name or the name of your high school mascot in answers to your security questions for financial institutions.
- Keep an eye out for anything odd happening with respect to your accounts. For example, if you receive a medical explanation of benefits for a provider you don’t recognize, or a rejection letter for an account you didn’t apply for, your identity may have been compromised.
- Use two factor authentication on your financial accounts. Many financial institutions are now realizing the benefits of two factor authentication. I will explain the benefits in a separate blog post. But, this provides and extra level a security which prevents someone from accessing your account without you knowing it. For example, if someone is able to get a hold of your password but tries to login from computer which has never been used before, the financial institution would send you text with a code to enter before granting you access.
- Check your credit reports regularly. You’re entitled to one free credit report per year from each of the three major credit bureaus. Go to annualcreditreport.com or call 1-877-322-8228. Or you can fill out a paper request and mail it to: Annual Credit Report Request Service, P.O. Box 105281, Atlanta, Georgia 30348-5281. You’ll be asked to provide your name, address, Social Security number, date of birth and which bureau you want a report from (Equifax, TransUnion or Experian).
- Make use of Companies Credit Monitoring Services. If your data has been compromised and you are offered credit monitoring services and insurance from the company or agency that as breached, use it. One of the biggest costs to companies and organizations is for them to have to notify affected personnel and provide protections for those whose data has been compromised. They are paying for it, so there is no reason for you not to take advantage of it. Brian Krebs has a blog post titled “Are credit monitoring services are worth it”, which provides answers on whether its worth paying for credit monitoring services after the initial free services provided by the breached company ends.
Are you a victim of any of these security breaches and what other steps have you taken to protect your identify?