Cyber-Hack May Have Compromised Federal Employee Info, Says OPM

The U.S. Office of Personnel Management (OPM) announced Thursday that personal information of four million current and former federal employees may have been compromised, according to an announcement released late Thursday by OPM.

OPM says it uncovered the cyber-hack in April, while beefing up its networks.

NBC News reported Thursday night that Chinese hackers may be behind the attack and called it the “biggest cyber attack in American history,” with names, Social Security numbers and birth dates at risk. CNN characterized the hack as coming from the Chinese government.

Northern Virginia is home to thousands of current and former federal workers. “Thursday’s report of a second data breach at OPM is very disturbing,” said Congressman Gerry Connolly, who represents Northern Virginia’s 11th congressional District. “Based on the cyber-signatures and method of attack, all indications point to Chinese hackers. But there is a lot we don’t know yet and the investigation is ongoing. In this instance, the Department of Homeland Security initially detected malicious activity in April and determined in May that OPM systems were breached.

Also read: Sen. Warner: OPM Cyberattack ‘Part of Troubling Pattern’

“While improvements have been made to protect federal government computer systems from such cyberattacks, this latest breach is one more reason federal agencies must continue to implement more proactive cyber-security measures,” he said. “Such measures should include aggressive implementation of the Federal Information Security Modernization Act (FISMA), which requires the government to universally adopt precisely the type of proactive measures that detected this most recent data breach.

“We must also work toward more dynamic security options which conduct continuous, 24-7 monitoring of government computers to discover malicious indicators of cyberattacks in real time,” Connolly said.

Since OPM uncovered the security hack, it has partnered with the U.S. Department of Homeland Security’s U.S. Computer Emergency Readiness Team (US-CERT), and the Federal Bureau of Investigation to determine the impact to Federal personnel. And OPM immediately implemented additional security measures to protect the sensitive information it manages.

Beginning Monday and continuing through June 19, OPM will send notifications to approximately 4 million individuals whose Personally Identifiable Information was potentially compromised in this incident, OPM said. The email will come from opmcio@csid.com and it will contain information regarding credit monitoring and identity theft protection services being provided to those Federal employees impacted by the data breach. In the event OPM does not have an email address for the individual on file, a standard letter will be sent via the U.S. Postal Service.

In order to mitigate the risk of fraud and identity theft, OPM is offering affected individuals credit monitoring services and identity theft insurance with CSID, a company that specializes in identity theft protection and fraud resolution. This 18-month membership includes credit report access, credit monitoring, identity theft insurance, and recovery services and is available immediately at no cost to affected individuals identified by OPM.

Additional information is available beginning at 8 a.m. CST on Monday on the company’s website, www.csid.com/opm (external link), and by calling toll-free 844-222-2743 (International callers: call collect 512-327-0700).

Steps for Monitoring Your Identity and Financial Information, suggested by OPM:

• Monitor financial account statements and immediately report any suspicious or unusual activity to financial institutions.
• Request a free credit report at www.AnnualCreditReport.com (external link) or by calling 1-877-322-8228. Consumers are entitled by law to one free credit report per year from each of the three major credit bureaus – Equifax®, Experian®, and TransUnion® – for a total of three reports every year. Contact information for the credit bureaus can be found on the Federal Trade Commission (FTC) website, www.ftc.gov (external link).
• Review resources provided on the FTC identity theft website, www.identitytheft.gov (external link). The FTC maintains a variety of consumer publications providing comprehensive information on computer intrusions and identity theft.
• You may place a fraud alert on your credit file to let creditors know to contact you before opening a new account in your name. Simply call TransUnion® at 1-800-680-7289 to place this alert. TransUnion® will then notify the other two credit bureaus on your behalf.

Precautions to Help You Avoid Becoming a Victim, according to OPM:

• Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about you, your employees, your colleagues or any other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.
• Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person’s authority to have the information.
• Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.
• Do not send sensitive information over the Internet before checking a website’s security (for more information, see Protecting Your Privacy, www.us-cert.gov/ncas/tips/ST04-013 (external link)).
• Pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).
• If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information. Information about known phishing attacks is also available online from groups such as the Anti-Phishing Working Group (www.antiphishing.org (external link)).
• Install and maintain anti-virus software, firewalls, and email filters to reduce some of this traffic (for more information, see Understanding Firewalls, www.us-cert.gov/ncas/tips/ST04-004 (external link); Understanding Anti-Virus Software, www.us-cert.gov/ncas/tips/ST04-005 (external link); and Reducing Spam, http://www.us-cert.gov/ncas/tips/ST04-007 (external link)).
• Take advantage of any anti-phishing features offered by your email client and web browser.
• Employees should take steps to monitor their personally identifiable information and report any suspected instances of identity theft to the FBI’s Internet Crime Complaint Center at www.ic3.gov (external link).
• Additional information about preventative steps by consulting the Federal Trade Commission’s website, www.identitytheft.gov (external link). The FTC also encourages those who discover that their information has been misused to file a complaint with the commission using the contact information below.
  
  Identity Theft Clearinghouse
  Federal Trade Commission
  600 Pennsylvania Avenue, NW
  Washington, DC 20580
  www.identitytheft.gov (external link)
  1-877-IDTHEFT (438-4338)
  TDD: 1-202-326-2502