OPM Hack Victims Must Re-Enroll Starting December 1 to Keep Monitoring Services

Posted: 12:37 am ET
[twitter-follow screen_name=’Diplopundit’ ]

 

Some former and current federal employees whose personal data was compromised in the OPM data breach will have to re-enroll starting December 1 to continue receiving monitoring protection from a USG contractor. OPM doesn’t say what will happen to the data, feds and former feds have already submitted to CSID, but folks who have enrolled in that service will no longer have access to their CSID account when that contract expires on December 1. The Government Executive is reporting that as many as 600,000 individuals impacted by the initial hack will need to re-enroll to continue monitoring services through ID Experts. How is it that CSID is not able to port data over to ID Experts? Below from OPM:

OPM is announcing a change to the credit monitoring and identity protection service provider that will affect a subset of individuals impacted by the personnel records cyber incident announced in the summer of 2015. Most impacted individuals will not experience any change to their current coverage, and do not need to take any action, but a subset of individuals will need to re-enroll to continue coverage.

OPM currently uses two different companies to provide credit monitoring and identity protection services free of charge to impacted individuals. Winvale/CSID covers the 4.2 million individuals impacted by the personnel records cyber incident and ID Experts (MyIDCare) covers the 21.5 million individuals impacted by the background investigations cyber incident. As of December 1, coverage under Winvale/CSID will expire.

Credit monitoring and identity protection services from Winvale/CSID expire on December 1, 2016. Once services with Winvale/CSID expire, you will no longer have access to information in your Winvale/CSID account. If you wish to review or print your credit reports or other monitoring information from your Winvale/CSID account, please log in to your account prior to December 1.

As of December 2, 2016 all individuals impacted by either incident will be eligible for coverage through ID Experts (MyIDCare).

According to OPM, individuals currently covered by ID Experts (MyIDCare) will not experience a change in their coverage or service at this time and do not need to take any action. More:

Starting December 1, individuals previously covered by Winvale/CSID will be offered services through IDExperts (MyIDCare). Impacted individuals will also still be automatically covered by identity restoration and identity theft insurance, but you will need to re-enroll with ID Experts (MyIDCare) if you would like to continue to receive monitoring services.

Most of the individuals covered by Winvale/CSID were also impacted by the background investigation records cyber incident. These individuals should already have received a letter from OPM inviting them to enroll in services with ID Experts (MyIDCare) and providing them with a 25-digit PIN code.

If you previously received a notification letter in connection with the background investigation records incident and wish to enroll with ID Experts (MyIDCare) now, you will need to use the 25-digit PIN code provided in this letter. Click here if you have your 25-digit PIN code and wish to enroll now.

If you believe you previously received a notification letter in connection with the background investigation records incident, but no longer have your original notice, you can visit the Verification Center to obtain a duplicate copy by U.S. Postal Service.

If you are in the subset of individuals who were not impacted by the background investigations incident, you will be receiving a new notification letter from OPM via the U.S. Postal service with a 25-digit PIN that you can use to enroll with ID Experts (MyIDCare). We expect to mail the majority of these notifications in November 2016.

Note that OPM makes clear that ID Experts cannot enroll victims without the 25-digit PIN code and cannot provide former/current employees with a PIN code over the phone.

Read more here: https://www.opm.gov/cybersecurity/ and https://www.opm.gov/cybersecurity/personnel-records/.

And while you’re reading how to re-enroll, you might want to read about grafted fingerprints and hackers’ long term intention, because why not?  If the data has not surfaced for sale, we have to wonder what was that hack about?

 

#

 

 

Advertisements

Notifications of Individuals Potentially Affected By #OPMHack on a Rolling Basis From June 8-June 19

Posted: 4:15 am  EDT
[twitter-follow screen_name=’Diplopundit’ ]

 

On May 28, just days before the OPM breach was reported, OPM issued a solicitation for OPM Privacy Act Incident Services. The services required include 1) notification services, 2) credit report access services, 3) credit monitoring services, 4) identity theft insurance and recovery services, and 5) project management services. According to the solicitation, these services will be offered, at the discretion of the Government, to individuals who may be at risk due to compromised Personally Identifiable Information (PII).  The $20,760,741.63 contract for Call 1 was awarded to Winvale Group, LLC (http://winvale.com) on June 2 but was published on fedbiz on June 5, the day after the breach was reported. Call 1 contract includes services to no more than 4 million units/employees.

Here’s what the company says via: http://winvale.com:

Screen Shot 2015-06-15

click for larger view

Excerpted from CSID FAQ:

What systems were affected?

For security reasons, OPM cannot publicly discuss specifics of the systems that might be affected by the compromise of personnel data. Additionally, due to the ongoing FBI investigation, it would be inappropriate to publicly provide information that may impact current work by law enforcement. OPM has added additional security controls to better protect overall networks and systems and the data they store and process.

What personal information was compromised?

OPM maintains personnel records for the Federal workforce. The kind of data that may have been compromised in this incident could include name, Social Security Number, date and place of birth, and current and former addresses. The communication to potentially affected individuals will state exactly what information may have been compromised.

Why didn’t OPM tell affected individuals about the loss of the data sooner?

OPM became aware of an intrusion in April 2015. OPM worked with the DHS’s Computer Emergency Readiness Team (US-CERT) as quickly as possible to assess the extent of the malicious activity and to identify the records of individuals who may have been compromised. During the investigation, OPM became aware of potentially compromised data in May 2015. With any such event, it takes time to conduct a thorough investigation, and identify the affected individuals.

It is important to note that this is an ongoing investigation that could reveal additional exposure; if that occurs, OPM will conduct additional notifications as necessary. Protecting the integrity of the information entrusted to the Office of Personnel Management is the agency’s highest priority.

I did not receive a letter stating that my information was compromised, but feel that I should have. Can you help me?

OPM is aware of the affected data and the networks and the data on which it resides. OPM will begin sending notifications to individuals whose PII may have been compromised on June 8, 2015. These notifications will take place on a rolling basis through June 19, 2015.

What are the risks of identity theft with the information that was compromised?

Receiving a letter does not mean that the recipient is a victim of identity theft. OPM is recommending that people review their letters and the recommendations provided. In order to mitigate the risk of fraud and identity theft, OPM will offer credit report access, credit monitoring and identify theft insurance and recovery services at no cost to them, through CSID®. This comprehensive, 18-month membership includes credit monitoring and $1 million in identity theft protection services.

How long will it take to inform all the potential victims involved in the incident?

OPM will begin conducting notifications to affected individuals using e-mail and/or USPS First Class mail on June 8, 2015 and will continue notifications on a rolling basis through June 19, 2015.

Can my [family member] also receive services if he/she is part of my file/records?

Your [family member] was not affected by this breach. The only data potentially exposed as a result of this incident is your personal data.

To see the full list of Frequently Asked Questions, click here. This is not dated, and it does not include any information on the potential breach of security clearance data.

If SF-86s are compromised, wouldn’t the breach potentially could also affect family members?

#

1) More Systems Compromised in #OPMHack, 2) A Love Letter to Hackers, and 3) What’s a Credit Freeze?

Posted: 3:29 am  EDT
[twitter-follow screen_name=’Diplopundit’ ]

 

On June 4, OPM released a statement on “a cybersecurity incident” that potentially affected personnel data of current and former federal employees, including personally identifiable information (PII) (see OPM Hack Compromises Federal Employee Records, Not Just PII But Security Clearance Info).  The initial estimate was that the OPM hack affected potentially 4 million employees. On June 12, fedscoop reported that the American Federation of Government Employees (AFGE) believed that the breach may have compromised personal data of as high as 14 million employees.

We understand that the State Department issued a notice to employees concerning the OPM breach on June 4. A second notice dated June 12 (am told this was actually a June 11 notice) was shared with BuzzFeed (see below). Several unnamed State Department employees were quoted in that BuzzFeed article, a tell-tale sign of growing frustration that we can also see from our inbox.

.

.

.

.

.

Excerpt from email sent by Under Secretary of Management Pat Kennedy on June 12 (via BuzzFeed)

This is an update to my previous e-mail of June 4th [repeated at the very end of this message.]

As was communicated last week, the U.S. Office of Personnel Management (OPM) recently became aware of a cybersecurity incident affecting its systems and data that may have exposed the Personally Identifiable Information (PII) of some current and former Federal employees. This email provides additional information regarding next steps for those affected State Department employees. But, every employee should read this email.

In the coming weeks, OPM will be sending notifications to individuals whose PII was potentially compromised in this incident. The email will come from [DELETED] and it will contain information regarding credit monitoring and identity theft protection services being provided to those Federal employees impacted by the data breach. In the event OPM does not have an email address for the individual on file, a standard letter will be sent via the U.S. Postal Service.

As a note of caution, confirm that the email you receive is, in fact, the official notification. It’s possible that malicious groups may leverage this event to launch phishing attacks. To protect yourself, we encourage you to check the following:

1. Make sure the sender email address is [DELETED]

2. The email is sent exclusively to your work email address. No other individuals should be in the To, CC, or BCC fields.

3. The email subject should be exactly [DELETED]

4. Do not click on the included link. Instead, record the provided PIN code, open a web browser then manually type the URL {DELETED]. You can then use the provided instructions to enroll [DELETED].

5. The email should not contain any attachments. If it does, do not open them.

6. The email should not contain any requests for additional personal information.

7. The official email should look like the sample screenshot below.

Additional information has also been made available beginning on June 8, 2015 on the company’s website [DELETED].

Regardless of whether or not you receive this notification, employees should take extra care to ensure that they are following recommended cyber and personal security procedures. If you suspect that you have received a phishing attack, contact your agency’s security office.

In general, government employees are often frequent targets of “phishing” attacks, which are surreptitious approaches to stealing your identity, accessing official computer systems, running up bills in your name, or even committing crimes using your identity. Phishing schemes use e-mail or websites to trick you into disclosing personal and sensitive information.

Oh, man.

Hopefully no one will copy this “recipe” to send folks a fake notification to enroll somewhere else.

On May 28, just days before the OPM breach was reported, OPM issued a solicitation for OPM Privacy Act Incident Services. The services required include 1) notification services, 2) credit report access services, 3) credit monitoring services, 4) identity theft insurance and recovery services, and 5) project management services. According to the solicitation, these services will be offered, at the discretion of the Government, to individuals who may be at risk due to compromised Personally Identifiable Information (PII).  The $20,760,741.63 contract for Call 1 was awarded to Winvale Group, LLC on June 2 but was published on fedbiz on June 5, the day after the breach was reported. Call 1 contract includes services to no more than 4 million units/employees.

Note that the State Department notice dated June 12 says that “email should not contain any attachments (#5). The OPM Services awarded on June 2 includes the following:

3.1.1.2 Contractor email Notification: The Contractor will prepare and send email notifications to affected individuals using read receipts. Emails (or attachments) will appear on Government letterhead, will contain Government-approved language, and will contain the signature of the Government official(s). Emails may contain one or more attachments. Email notification proof(s) will be provided to the Government for approval not later than 48 hours after award of a Call against the BPA. The Government will approve the email notification within 24 hours to enable the Contractor to begin preparation for distribution. The Contractor will require, receipt, track, and manage read receipts for email notifications.

Get that?

Now this. Somebody from State sent us a love letter for the hackers:

Dear Hackers: While you’re in there, please get my travel voucher for $291.46 approved, permanently cripple Carlson Wagonlit so we can stop wasting money on a useless product, and figure out how many special political hires there really are roaming our halls.  Oh and please don’t use my SF-86 info against my parents, it isn’t their fault I was an idiot and gave the government every last bit of info on my entire life.  I’m sure there’s more but it’s the weekend, let’s chat Monday. #LetsActLikeNothingHappened #SeriouslyThoughWTF .

And because the initial report is often understated per abrakadabra playbook hoping the bad news will go away, we’re now hearing this:

Oops, wait, what’s this?

Well, here is part of that email sent from “M” on  June 15, 5:35 pm ET:

“OPM has recently discovered that additional systems were compromised. These systems include those that contain info related to background investigations of current, former, and prospective Federal government employees, as well as other individuals from whom a Federal background investigation was conducted. This separate incident…was discovered as a result of OPM’s aggressive efforts to update its cybersecurity posture… OPM will notify those individuals whose info may have been compromised as soon as practical. You will be updated when we have more info on how and when these notifications will occur.”

So that original OPM estimate of 4 million affected employees is now OBE. That original $20 million contract will potentially go up.

Brian Krebs‘ piece on credit monitoring, the default response these days when a breach happens is worth a read. Basically, he’s saying that credit monitoring services aren’t really built to prevent ID theft (read Are Credit Monitoring Services Worth It?).

What can you do besides the suggestions provided by the State Department and OPM? Brian Krebs suggests a “credit freeze” or a “security freeze” not discussed or offered by OPM. Check out the very informative Q&A here.

 

We  know what else is on our to-do list today.

#