ALL Foreign Affairs Agencies Affected By #OPMHack: DOS, USAID, FCS, FAS, BBG and APHIS

Posted: 6:15  pm  PDT
[twitter-follow screen_name=’Diplopundit’ ]

 

AFSA has now issued a notice to its membership on the OPM data breach. Below is an excerpt:

On Thursday June 4, the Office of Personnel Management (OPM) became aware of a cybersecurity incident affecting its systems and data. AFSA subsequently learned that the Personally Identifiable Information (PII) of many current and former federal employees at the foreign affairs agencies have been exposed as a result of this breach.

The most current information provided to AFSA indicates the following: Most current, former and prospective federal employees at ALL foreign affairs agencies have been affected by this breach. That includes the State Department, USAID, FCS, FAS, BBG and APHIS. OPM discovered a new breach late last week which indicates that any current, former or prospective employee for whom a background investigation has been conducted is affected.

In the coming weeks, OPM will be sending notifications to individuals whose PII was potentially compromised in this incident. The email will come from opmcio@csid.comand it will contain information regarding credit monitoring and identity theft protection services being provided to those federal employees impacted by the data breach. In the event OPM does not have an email address for the individual on file, a standard letter will be sent via the U.S. Postal Service. All the foreign affairs agencies suggest that those affected should contact the firm listed below. Members of the Foreign Commercial Service may additionally contact Commerce’s Office of Information Security at informationsecurity@doc.gov.

As a note of caution, confirm that the email you receive is, in fact, the official notification. It’s possible that malicious groups may leverage this event to launch phishing attacks.  To protect yourself, we encourage you to check the following:

  1. Make sure the sender email address is “opmcio@csid.com“.
  2. The email is sent exclusively to your work email address. No other individuals should be in the To, CC, or BCC fields.
  3. The email subject should be exactly “Important Message from the U.S. Office of Personnel Management CIO”.
  4. Do not click on the included link. Instead, record the provided PIN code, open a web browser, manually type the URL http://www.csid.com/opm into the address bar and press enter. You can then use the provided instructions to enroll using CSID’s Web portal.
  5. The email should not contain any attachments. If it does, do not open them.
  6. The email should not contain any requests for additional personal information.
  7. The official email should look like the sample screenshot below.
image via afsa.org

image via afsa.org

Additional information has been made available on the company’s website, www.csid.com/opm, and by calling toll-free 844-777-2743 (International callers: call collect 512-327-0705).

Agency-Specific Points of Contact:

If you have additional questions, contact AFSA’s constituency vice presidents and representatives:

Read the full announcement here.

Amidst this never ending round of data breaches, go ahead and read Brian Krebs’ How I Learned to Stop Worrying and Embrace the Security Freeze. The USG is not offering to pay the cost of a credit freeze but it might be worth considering.

Of course, the security freeze does not solve the problem if the intent here goes beyond stealing USG employees’ identities.   If the hackers were after the sensitive information contained in the background investigations, for use at any time in the future, not sure that a credit freeze, credit monitoring and/or ID thief protection can do anything to protect our federal employees.

Security clearance investigations, by their very nature, expose people’s darkest secrets — the things a foreign government might use to blackmail or compromise them such as drug and alcohol abuse, legal and financial troubles and romantic entanglements. (via)

I understand why the USG has to show that it is doing something to address the breach but — if a foreign government, as suspected, now has those SF-86s, how can people protect themselves from being compromised? If this is not about compromising credit, or identities of USG employees but about secrets, credit monitoring and/or ID thief protection for $20 Million will be an expensive but useless response, wouldn’t it?

#

Advertisements

Notifications of Individuals Potentially Affected By #OPMHack on a Rolling Basis From June 8-June 19

Posted: 4:15 am  EDT
[twitter-follow screen_name=’Diplopundit’ ]

 

On May 28, just days before the OPM breach was reported, OPM issued a solicitation for OPM Privacy Act Incident Services. The services required include 1) notification services, 2) credit report access services, 3) credit monitoring services, 4) identity theft insurance and recovery services, and 5) project management services. According to the solicitation, these services will be offered, at the discretion of the Government, to individuals who may be at risk due to compromised Personally Identifiable Information (PII).  The $20,760,741.63 contract for Call 1 was awarded to Winvale Group, LLC (http://winvale.com) on June 2 but was published on fedbiz on June 5, the day after the breach was reported. Call 1 contract includes services to no more than 4 million units/employees.

Here’s what the company says via: http://winvale.com:

Screen Shot 2015-06-15

click for larger view

Excerpted from CSID FAQ:

What systems were affected?

For security reasons, OPM cannot publicly discuss specifics of the systems that might be affected by the compromise of personnel data. Additionally, due to the ongoing FBI investigation, it would be inappropriate to publicly provide information that may impact current work by law enforcement. OPM has added additional security controls to better protect overall networks and systems and the data they store and process.

What personal information was compromised?

OPM maintains personnel records for the Federal workforce. The kind of data that may have been compromised in this incident could include name, Social Security Number, date and place of birth, and current and former addresses. The communication to potentially affected individuals will state exactly what information may have been compromised.

Why didn’t OPM tell affected individuals about the loss of the data sooner?

OPM became aware of an intrusion in April 2015. OPM worked with the DHS’s Computer Emergency Readiness Team (US-CERT) as quickly as possible to assess the extent of the malicious activity and to identify the records of individuals who may have been compromised. During the investigation, OPM became aware of potentially compromised data in May 2015. With any such event, it takes time to conduct a thorough investigation, and identify the affected individuals.

It is important to note that this is an ongoing investigation that could reveal additional exposure; if that occurs, OPM will conduct additional notifications as necessary. Protecting the integrity of the information entrusted to the Office of Personnel Management is the agency’s highest priority.

I did not receive a letter stating that my information was compromised, but feel that I should have. Can you help me?

OPM is aware of the affected data and the networks and the data on which it resides. OPM will begin sending notifications to individuals whose PII may have been compromised on June 8, 2015. These notifications will take place on a rolling basis through June 19, 2015.

What are the risks of identity theft with the information that was compromised?

Receiving a letter does not mean that the recipient is a victim of identity theft. OPM is recommending that people review their letters and the recommendations provided. In order to mitigate the risk of fraud and identity theft, OPM will offer credit report access, credit monitoring and identify theft insurance and recovery services at no cost to them, through CSID®. This comprehensive, 18-month membership includes credit monitoring and $1 million in identity theft protection services.

How long will it take to inform all the potential victims involved in the incident?

OPM will begin conducting notifications to affected individuals using e-mail and/or USPS First Class mail on June 8, 2015 and will continue notifications on a rolling basis through June 19, 2015.

Can my [family member] also receive services if he/she is part of my file/records?

Your [family member] was not affected by this breach. The only data potentially exposed as a result of this incident is your personal data.

To see the full list of Frequently Asked Questions, click here. This is not dated, and it does not include any information on the potential breach of security clearance data.

If SF-86s are compromised, wouldn’t the breach potentially could also affect family members?

#