OPM warns 4 million federal employees following cyber-intrusion

This story was last updated at 10:04 a.m. (EST) on June 5, 2015.

The Office of Personnel Management will notify 4 million former and current federal employees that their personally identifiable information (PII) may have been compromised by a major cyber-intrusion of its information technology systems.

OPM said it will send email notifications to those affected from June 8-19. The email will come from opmcio@csid.com. If OPM doesn’t have an email address on file, it says it will send a standard letter in the mail. The notification will also contain information on free credit monitoring services the government will offer to all individuals impacted.

OPM is working with the Homeland Security Department’s Computer Emergency Readiness Team (US-CERT) and the FBI to assess the scope of the attack, which occurred in April.

Federal retirement experts sound alarm on Trump's budget proposal

Advertisement

A U.S. official, who declined to be named because he was not authorized to publicly discuss the data breach, told the Associated Press the breach could potentially affect every federal agency. One key question is whether intelligence agency employee information was stolen.

The Office of Personnel Management conducts more than 90 percent of federal background investigations, according to its website.

Sen. Susan Collins (R-Maine), a member of the Senate intelligence committee, told the Associated Press the hackers were believed to be based in China. She said the breach was “yet another indication of a foreign power probing successfully and focusing on what appears to be data that would identify people with security clearances.”

The Chinese Foreign Ministry responded Friday by saying such claims are unproven and irresponsible, and that it wishes the United States would trust it more.

“We know that hacker attacks are conducted anonymously, across nations, and that it is hard to track the source,” said Hong Lei, a spokesman for the ministry. “It’s irresponsible and unscientific to make conjectural, trumped-up allegations without deep investigation.”

Beijing routinely dismisses any allegation of its official involvement in cyberattacks on foreign targets, while invariably noting that China is itself the target of hacking attacks.

Congress asks: Are federal employees overpaid?

The Department of Homeland Security said in a statement that data from the Interior Department had also been compromised.

OPM detected the intrusion of its cyber system using a comprehensive network monitoring plan developed with DHS.

“Using these newly identified cyber indicators, DHS’s United States-Computer Emergency Readiness Team (US-CERT) used the EINSTEIN system to discover a potential compromise of federal PII,” a DHS spokesperson said. “Working with the affected agency and other inter-agency partners, US-CERT cyber incident response teams were deployed to identify the scope of the potential intrusion and mitigate any risks identified. Based upon these response activities, DHS concluded at the beginning of May 2015 that OPM data had been compromised.”

It was unclear why the EINSTEIN system didn’t detect the breach until after so many records had been copied and removed.

“DHS is continuing to monitor federal networks for any suspicious activity and is working aggressively with the affected agencies to conduct investigative analysis to assess the extent of this alleged intrusion,” the statement said.

FBI is investigating how and why the incident occurred and DHS is continuing to monitor federal networks, looking for any suspicious activity.

“Since the intrusion, OPM has instituted additional network security precautions, including: restricting remote access for network administrators and restricting network administration functions remotely; a review of all connections to ensure that only legitimate business connections have access to the internet; and deploying anti-malware software across the environment to protect and prevent the deployment or execution of tools that could compromise the network,” OPM said, in a release.

Cybersecurity expert Morgan Wright of the Center for Digital Government, an advisory institute, said EINSTEIN “certainly appears to be a failure at this point. The government would be better off outsourcing their security to the private sector where’s there at least some accountability.”

Due to the ongoing nature of the investigation, more PII exposures may be revealed. OPM said it will notify individuals if that is the case. To mitigate the risk of fraud or identity theft, OPM is offering identity theft insurance, credit monitoring and credit report access to those who may have been impacted.

“Protecting our Federal employee data from malicious cyber incidents is of the highest priorities at OPM,” said OPM Director Katherine Archuleta. “We take very seriously our responsibility to secure the information stored in our systems, and in coordination with our agency partners, our experienced team is constantly identifying opportunities to further protect the data with which we are entrusted.”

Concern grows over latest cyber attack

Sen. Richard Burr, chairman of the Senate Select Committee on Intelligence, issued a statement saying that the OPM breach demonstrated that cybersecurity must be a top priority for the government.

“Every day, these attacks are getting more technically advanced and now another agency has been compromised,” he said. “We cannot continue to look the other direction. Our response to these attacks can no longer simply be notifying people after their personal information has been stolen; we must start to prevent these breaches in the first place.”

Sen. Ron Johnson (R-Wis.), chairman of the Senate Homeland Security and Governmental Affairs Committee, said the data breach at OPM demonstrates how agencies are vulnerable to cyber threats.

“It is disturbing to learn that hackers could have sensitive personal information on a huge number of current and former federal employees,” Johnson said. “It is even more troubling that this is only the latest in a series of cyberattacks on the Office of Personnel Management. OPM says it ‘has undertaken an aggressive effort to update its cybersecurity posture.’ Plainly, it must do a better job, especially given the sensitive nature of the information it holds.”

J. David Cox Sr., national president of the American Federation of Government Employees, said in a statement that the breach affected 2.1 million current federal employees and 2 million federal retirees and former feds, adding that the attack targeted personnel records.

“AFGE is working closely with the administration to determine the extent of the breach and explore ways to remediate it,” Cox said in a statement. “We will work with the administration to ensure that all available measures be taken to secure the personal information of all affected employees, and that these measures be implemented as soon as possible. AFGE will demand accountability and will take every necessary step to see that the interests and security of the nearly 700,000 people we represent are addressed.”

Rep. Gerry Connolly (D-Va.) called for greater cybersecurity at federal agencies.

“While improvements have been made to protect federal government computer systems from such cyber attacks, this latest breach is one more reason federal agencies must continue to implement more proactive cybersecurity measures. Such measures should include aggressive implementation of the Federal Information Security Modernization Act (FISMA), which requires the government to universally adopt precisely the type of proactive measures that detected this most recent data breach,” Connolly said.

Colleen Kelley, president of the National Treasury Employees Union, released a statement expressing concern about the breach and the range of employee data that OPM keeps.

“It is vital to know as soon as possible the extent to which, if any, personal information may have been obtained so that affected employees can be notified promptly and encouraged to take all possible steps to protect themselves from financial or other risks,” Kelley said in the statement.

This isn’t the first time OPM has had to notify federal employees that their PII may have been exposed by a cyber breach.

Last December, OPM announced that “out of an abundance of caution” it was notifying 48,439 federal employees that their PII data may have been exposed due to a compromised computer network at KeyPoint Government Solutions, the largest private provider of background check services for the federal government.

“Today’s reported breach is part of a troubling pattern by this agency in failing to secure the personal data of federal employees – the second major breach in a year,” Sen. Mark Warner (D-Va.), member of the Senate Select Committee on Intelligence, said in a statement. “Cyber attacks present a critical threat to our national security and our economy. We cannot afford to keep dragging our feet in addressing the escalating threats posed by hackers out to steal individuals’ personal information.”

In January, also OPM experienced a security glitch in its retirement services portal, which let some users log in and access other retirees’ personal information.

“Although this breach may not have been the result of a cyber attack, it still demonstrates the challenges faced by federal agencies and private sector organizations in safeguarding personally identifiable information,” said Rep. Elijah Cummings (D-Md.), at the time.

On the current OPM breach, Cummings released a statement: “The number and frequency of cyber attacks on our nation continue to grow at an alarming rate, both against government and private sector targets. It is critical to ensure that businesses and federal agencies identify and implement cutting-edge safeguards to combat these increasingly sophisticated attackers.”


The following guidance for those impacted is taken directly from OPM:

Steps for Monitoring Your Identity and Financial Information:

  • Monitor financial account statements and immediately report any suspicious or unusual activity to financial institutions.
  • Request a free credit report at www.AnnualCreditReport.com or by calling 1-877-322-8228. Consumers are entitled by law to one free credit report per year from each of the three major credit bureaus — Equifax®, Experian®, and TransUnion® &mdash’ for a total of three reports every year. Contact information for the credit bureaus can be found on the Federal Trade Commission (FTC) website, www.ftc.gov.
  • Review resources provided on the FTC identity theft website, www.identitytheft.gov. The FTC maintains a variety of consumer publications providing comprehensive information on computer intrusions and identity theft.
  • You may place a fraud alert on your credit file to let creditors know to contact you before opening a new account in your name. Simply call TransUnion® at 1-800-680-7289 to place this alert. TransUnion® will then notify the other two credit bureaus on your behalf.

How to avoid being a victim:

  • Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.
  • Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person’s authority to have the information.
  • Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.
  • Do not send sensitive information over the Internet before checking a website’s security (for more information, see Protecting Your Privacy.
  • Pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).
  • If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information. Information about known phishing attacks is also available online from groups such as the Anti-Phishing Working Group.
  • Install and maintain anti-virus software, firewalls, and email filters to reduce some of this traffic (for more information, see Understanding Firewalls; Understanding Anti-Virus Software; and Reducing Spam.
  • Take advantage of any anti-phishing features offered by your email client and web browser.
  • Employees should take steps to monitor their personally identifiable information and report any suspected instances of identity theft to the FBI’s Internet Crime Complaint Center at www.ic3.gov.

The Associated Press contributed to this story.

Read all of Federal News Radio’s coverage of the OPM Cyber Breach.

RELATED STORIES:

OPM warns 48,439 federal employees of data exposure

In OPM cyber breach, security experts spy fundamental problem

OPM disables Web portal after retirees’ information potentially exposed

Obama’s cybersecurity proposals part of decade-old programs