The recent breach of government employee databases run by the federal government’s Office of Personnel Management (OPM) brings home the importance of Internet security.
As always happens in situations like these, some people overreact and some underreact. In fairness, the situation at the time of this writing is still playing itself out, so we don’t know with any assurance what the correct response should be.
But it’s safe to say that this isn’t the beginning of World War III fought in cyberspace. It’s also safe to say that this breach shouldn’t be pooh-poohed, business as usual.
What we do know with certainty is that in June 2015 OPM announced that personnel records of millions of former and current government employees had been compromised. Later, prospective government employees who underwent security checks were added.
Data hacked included names, addresses, dates and places of birth, and Social Security numbers—data that can be used by bad guys to steal your identity. It may also have included security-clearance information such as facts about family members, college roommates, foreign contacts, psychological profiles, and even information provided by neighbors.
Currently OPM is notifying people who may have been affected. It’s also offering potentially affected people credit report access, credit monitoring services, and identity theft insurance for 18 months at no cost to them through the company CSID, at csid.com/opm.
OPM has described the incident as “one of the largest” breaches of government data in history. It may be the largest. The breach was noticed by OPM in April, and it may have started in March 2014 or perhaps even earlier.
It’s also unclear who the hackers are. As of this writing, no government agency involved, including the FBI and the Department of Homeland Security, has confirmed anything. But according to media reports, “unnamed government officials” have said based on limited evidence that the hack originated in China. If it did, it’s not clear if it was perpetrated by the Chinese government, by hackers supported by the Chinese government, or by independent hackers looking for financial gain.
OPM had been warned in audit reports about weaknesses in its security, some of which are a result of “legacy,” or old, computer systems still in use. Clearly more resources need to be allocated for security of government databases.
So what should you do right now, whether you’re a government worker or not? These recommendations apply to anyone whose identity may have been compromised or who’s at risk that it may be compromised in the future. One truly scary part is that this applies to every adult in the U.S. One reassuring part is that there are things you can do, such as:
Information gathering—espionage—is nothing new, of course. In recent years, it, like much else in modern life, has moved in part online. We, as Americans, just need to do a better job of protecting our data than we have.
The latest information about the OPM data security breach can be found at opm.gov/cybersecurity. The Federal Trade Commission has good general information about identity theft, protecting yourself from it as well as recovering from it, at identitytheft.gov and consumer.ftc.gov.