OPM Hack. Are they doing enough?

2015-06-15T12:05:33-04:00

Just came in. OPM's initial (hopefully) response with disclaimers. What do you think?

I am writing to inform you that the U.S. Office of Personnel Management (OPM) recently became aware of a cybersecurity incident affecting its systems and data that may have exposed your personal information.

Since the incident was identified, OPM has partnered with the U.S. Department of Homeland Security’s U.S. Computer Emergency Readiness Team (US-CERT) to determine the impact to Federal personnel. OPM immediately implemented additional security measures and will continue to improve the security of the sensitive information we manage.

You are receiving this notification because we have determined that the data compromised in this incident may have included your personal information, such as your name, Social Security number, date and place of birth, and current or former address. To help ensure your privacy, upon your next login to OPM systems, you may be required to change your password.

OPM takes very seriously its responsibility to protect your information. While we are not aware of any misuse of your information, in order to mitigate the risk of potential fraud and identity theft, we are offering you credit monitoring service and identity theft insurance through CSID, a company that specializes in identity theft protection and fraud resolution. All potentially affected individuals will receive a complimentary subscription to CSID Protector Plus for 18 months. Every affected individual, regardless of whether or not they explicitly take action to enroll, will have $1 million of identity theft insurance and access to full-service identity restoration provided by CSID until 12/7/16.

To access the trusted pages that will facilitate enrollment into this identity protection service, type or paste the following website into your browser: https://www.csid.com/opm.

You will need to use the PIN code provided to enroll in these services. Individuals can also contact CSID with any questions about these free services by calling this toll free number, [login to see] (International callers: call collect at [login to see] ).
Protector Plus coverage includes:
• Credit Report and Monitoring: Includes a TransUnion® credit report and tri-bureau monitoring for credit inquiries, delinquencies, judgments and liens, bankruptcies, new loans and more
• CyberAgent® Internet Surveillance: Monitors websites, chat rooms and bulletin boards 24/7 to identify trading or selling of your personal information
• Identity Theft Insurance: Reimburses you for certain expenses in the event that your identity is compromised with a $1,000,000 insurance policy
• Court and Public Records Monitoring: Know if your name, date of birth and Social Security number appear in court records for an offense that you did not commit
• Non-Credit Loan Monitoring: Know if your personal information becomes linked to short-term, high-interest payday loans that do not require credit inquiries
• Change of Address Monitoring: Monitor to see if someone has redirected your mail
• Social Security Number Trace: Know if your Social Security number becomes associated with another individual’s name or address
• Sex Offender Monitoring: Know if sex offenders reside in your zip code, and ensure that your identity isn’t being used fraudulently in the sex offender registry
• Full-Service Identity Restoration: Work with a certified identity theft restoration specialist to restore your ID if you experience any fraud associated with your personal information
These services are offered as a convenience to you. However, nothing in this letter should be construed as OPM or the U.S. Government accepting liability for any of the matters covered by this letter or for any other purpose. Any alleged issues of liability concerning OPM or the United States for the matters covered by this letter or for any other purpose are determined solely in conformance with appropriate Federal law. Please note that these services are offered to the specific addressee of this letter and are not available to anyone other than the individual who received this notification.

We regret this incident. Please be assured that OPM remains deeply committed to protecting the privacy and security of information and has taken appropriate steps to respond to this intrusion. The incident was uncovered as a result of OPM’s aggressive effort to update its cybersecurity posture over the past year, including the addition of numerous tools and capabilities to its networks that both help detect and deter a cyber-attack.

Please note that neither OPM nor any company acting on OPM’s behalf will contact you to confirm any personal information. If you are contacted by anyone purporting to represent OPM and asking for your personal information, do not provide it.

To learn more and enroll, visit CSID’s website at https://www.csid.com/opm.

Response by Col Joseph Lenertz made Jun 15 at 2015 12:07 PM

2015-06-15T12:07:47-04:00

Not close to enough. They violated the law. There is a legal requirement to encrypt data at rest. They did not do it. I predict a class action law suit.

Response by GySgt Wayne A. Ekblad made Jun 15 at 2015 1:43 PM

2015-06-15T13:43:43-04:00

In my opinion --- absolutely not! Frankly, the actions being taken now seem to be little more than putting a bandage on an amputation.

Response by PO1 John Miller made Jun 15 at 2015 1:50 PM

2015-06-15T13:50:09-04:00

I have been watching this case with interest, since I do have an active government granted security clearance. I have not yet received any notifications that my OPM data may have been compromised.

With that said, they are NOT doing enough to protect against loss.

Response by CW5 Private RallyPoint Member made Jun 15 at 2015 1:58 PM

2015-06-15T13:58:06-04:00

They will have done enough when they implement the appropriate measures to fix the problem and distribute lessons learned so other internet connected services that contain PPI are secured as well.

Only by learning and implementing proper security controls will we get better. Remember though, increasing security hampers usability or ease of use. The most secure computer is the one not connected to a network and locked in a vault.

Response by Maj Kevin "Mac" McLaughlin made Jun 6 at 2016 3:04 PM

2016-06-06T15:04:25-04:00

Did they do enough? Obviously not. Could they? Absolutely. Are they doing enough now? I doubt it but I have no insight into what they've been instructed to do and how they're doing it. I know what could be done and they need advisors who understand the aspects of maintaining confidentiality, integrity, and availability of this data.

OPM Hack. Are they doing enough?

OPM Hack. Are they doing enough?

Response by Col Joseph Lenertz made Jun 15 at 2015 12:07 PM

Response by GySgt Wayne A. Ekblad made Jun 15 at 2015 1:43 PM

Response by PO1 John Miller made Jun 15 at 2015 1:50 PM

Response by CW5 Private RallyPoint Member made Jun 15 at 2015 1:58 PM

Response by GySgt Wayne A. Ekblad made Jun 16 at 2015 3:44 AM

Response by Maj Kevin "Mac" McLaughlin made Jun 6 at 2016 3:04 PM