This intrusion shouldn’t have been entirely unexpected. The U.S. GAO (Government Accountability Office) has been keeping track of attempts on government systems for a while now. In 2006, the GAO reported 5,503 “information security incidents.” That number quickly grew to 67,168 in 2014. When the OPM hack was first discovered, Tony Scott, the new federal chief information officer (CIO), ordered a 30-day “cyber sprint” to directly address security issues. The measures employed included issuing patches for the known critical vulnerabilities, reducing the number of users with special privileges, and enacting two-factor authentication to further protect login processes.
The hackers got away with names, birth dates, home addresses, and Social Security numbers. When the theft was first discovered in April, it was thought that personnel data of 4.2 million current and former government employees had been stolen. Then in early June, the OPM found that other information had been accessed, including background investigation records of current, former, and prospective federal employees and contractors. That added 19.7 million to the 4.2 million already known victims, and that number included 1.8 million nonapplicants who were spouses or cohabitants of applicants. According to the OPM website, “Some records also include findings from interviews conducted by background investigators and approximately 1.1 million include fingerprints.”
A complaint aired by Jonathan M. Gitlin on the Ars Technica website itemizes some of the pain of those exposed. Gitlin had worked as a policy analyst at the National Institutes of Health, a job that required a Public Trust Security Clearance. On June 4, he received an e-mail from the OPM. It was from Mary K. Wakefield, acting deputy secretary of the Department of Health and Human Services, offering him credit monitoring for 18 months. Gitlin explained his frustration: “This data isn’t mere credit card numbers that can be altered and reissued with minimal pain. It’s our lives—histories, relationships, personal appearance, drug use, educational background, and much more—even biometrics. They can’t be altered and reissued, and a few months of credit monitoring will do little to protect victims from those determined enough to pull off the heist in the first place.” Gitlin points out that his clearance was relatively low level. What about those who filled out the forms and underwent interviews and investigations for jobs involving classified, secret, top secret, or compartmentalized information? “It’s really, really bad,” he concluded.
Actually, the OPM has offered more than just credit monitoring for those affected by the background investigation incident. The agency promised those affected would be mailed “details on the incident and the services available to [them] at no cost for at least three years such as:
- Full service identity restoration support and victim recovery assistance,
- Identity theft insurance,
- Identity monitoring for minor children,
- Continuous credit monitoring, and
- Fraud monitoring services beyond credit files.”
The coverage is extended to spouses and cohabitants, but once you reach others whose information might have been listed on a background information form or interview, the agency has a list of precautions you should take on your own.
On July 9, the White House Office of the Press Secretary published a 3,347-word document titled “FACT SHEET: Administration Cybersecurity Efforts 2015.” The paper describes not only the recent 30-day cyber-sprint effort but also all of the major, nonclassified efforts beginning with the White House Summit on Cybersecurity and Consumer Protection at Stanford University on February 13. Many security measures are already in place, and more are coming. But, meanwhile, Ars Technica Senior Editor Sean Gallagher explained to his readers that “the damage done to national security by this breach far exceeds anything that could be claimed in relationship to the documents leaked by former NSA contractor Edward Snowden.” To begin to remedy the situation at the OPM, a full-on cultural change will be required. The weaknesses exploited at the OPM, Gallagher says, “were problems that had existed in some form for over eight years and possibly longer, exacerbated by outsourcing and poor leadership and planning. These problems are all too common among government agencies because of the ‘checkbox’ approach that agencies have taken to information security.”