Slashdot Mirror

← Back to Stories (view on slashdot.org)

Government Still Hasn't Notified Individuals Whose Personal Data Was Hacked

Posted by samzenpus on from the who's-on-the-list dept.

schwit1 writes: Months after the federal government admitted publicly that the personal data of more than 20 million government employees had been hacked they still have not sent notifications to those millions. The agency whose data was hacked, the Office of Personnel Management (OPM), said the Defense Department will begin "later this month" to notify employees and contractors across the government that their personal information was accessed by hackers. OPM said notifications would continue over several weeks and "will be sent directly to impacted individuals." OPM also announced that it hired a contractor to help protect the identities and credit ratings of employees whose data was hacked. In a statement, OPM said it had awarded a contract initially worth more than $133 million to a company called Identity Theft Guard Solutions LLC, doing business as ID experts, for identity theft protections for the 21.5 million victims of the security data breach. The contractor will provide credit and identity monitoring services for three years, as well as identity theft insurance, to affected individuals and dependent children aged under 18, the agency said.

39 of 71 comments (clear)

  1. Assume it's all out there. by trout007 · · Score: 5, Insightful

    We had some idiot in our HR department of a US Government Agency with everyones personal information on their unencrypted laptop. Of course they left it in the back seat of their car and it was stolen. Nobody fired or demoted.

    We also had our IT department send out an e-mail from a fake IP saying to follow a link to test the strength of your password. Something like 35% of the people fell for it.

    Meanwhile I can't get the software I need to perform the work I am hired to do becaue I have so much crap running in the background of my machine that it's completely unstable.

    --
    I love Jesus, except for his foreign policy.
    1. Re:Assume it's all out there. by Ol+Olsoc · · Score: 1

      Of course they left it in the back seat of their car and it was stolen. Nobody fired or demoted.

      and

      Meanwhile I can't get the software I need to perform the work I am hired to do becaue I have so much crap running in the background of my machine that it's completely unstable.

      Anytime, anywhere, anything like this happens, the people who had nothing at all to do with it are the one's that get punished.

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    2. Re:Assume it's all out there. by Anonymous Coward · · Score: 1

      Devil's advocate:

      The problem with government is that it is perceived as uncool to work for, so all the top notch IT talent is either gone or surrounded by people less experienced that make the decisions. Contractors can help... but to someone who isn't versed in the industry, how can one tell a security contractor who knows their stuff, versus a lot of "suit wearing chatter monkeys". Try hiring another contractor to check the work of the first, and you run into collusion issues.

      Then add the fact that hiring legions of H-1Bs is very cheap (so much that it is often a requirement for a contract since it "saves money"), and one gets these horror stories, either due to cluelessness, or the fact that the data can be sold back home for a good price.

      What really needs to happen in government is a giant enema. Start with the agencies who know what they are doing, let them oversee the rebuilding of IT structures of more problematic agencies.

      OPM data needs to have its own classification. It should not be SBU or just PII, but at least with restrictions where only US citizens can maintain it (access is another story and a different ballgame, but the people keeping the data and backing it up shouldn't be the people fresh off the lowest bidder's boat.)

      There are other items as well. Laptops, workstations, even SANs should be covered under DAR regulations [1]. There are many other regulations that come with FISMA that, had they been heeded, would not have allowed this breach to happen.

      The core of the matter is that with the current contractor system we have now, the buck stops with nobody, and there is always a finger that can be pointed to somewhere else. It either needs to go back to personal responsibility, or go to direct government employees.

      [1]: This is very brain dead simple. BitLocker is extremely easy to use. Encrypting tapes is easy as well -- just set a password [2]. All new SANs have self encrypting drives. Even Windows Server 2016

      [2]: Yes, there are appliances like what some companies sells which gives each tape its own key [3]... but for almost everyone, just setting a password across all devices on a silo and perhaps changing it every fiscal year is good enough, and will ensure a tape that falls off the Iron Maiden truck won't be a major compromise.

      [3]: Of course, backing up those appliances is hard... want a backup? Buy another appliance and replicate. Want to back that up? Buy yet another another to have the keys replicate. Complete site outage? Buy another appliance and have that replicate offsite.

    3. Re:Assume it's all out there. by bitingduck · · Score: 1

      Well it's worse now.

      It wasn't clear if that laptop had all the content of the SF-85/85P/86 forms, I don't think they admitted to it being more than the information they used as default passwords for the eQIP system plus basic ID information of who they belonged to. The OPM breach is the complete contents of the forms that everyone filled out since 2000, plus all the investigation data (not much if you're an SF-85, but potentially quite a lot if you're an SF-86). And they had such poor security that they pretty much gave it all away.

    4. Re:Assume it's all out there. by trout007 · · Score: 1

      Right. Not sure what the right term is. The link text looked legit but if you looked at the link itself it was something else. Here is the link
      http://passwordtest.it-securit...

      --
      I love Jesus, except for his foreign policy.
    5. Re:Assume it's all out there. by antdude · · Score: 1

      Do you have access to disable and uninstall them?

      --
      Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
  2. Identity theft? Try blackmail mitigation instead.. by burtosis · · Score: 3, Insightful

    Given this opm hack along with Ashley Madison and other cross correlating data that's been hacked, id assume the bigger threat is blackmail here. Sadly data security, even on sensitive military databases, is neglected and not even up to the crappy standards of many businesses.

  3. They hired a low bid contractor! by plopez · · Score: 1

    I feel so much better now. Because we all know the private sector is so good at security. And their diligent employees never walk out the door with sensitive information.

    --
    putting the 'B' in LGBTQ+
    1. Re:They hired a low bid contractor! by plopez · · Score: 1

      Yes I do. And if you think you haven't lost SSN; or the equivalent in your country; age, sex, address, and other information from banks, retailers and other companies you are naive.

      --
      putting the 'B' in LGBTQ+
    2. Re:They hired a low bid contractor! by bitingduck · · Score: 1

      This isn't credit card data we're talking about here, this is just about all the information you can get on someone.

      And has been collated and verified through alternate sources. It's not like you can give a bunch of fake information every time you renew your access (security clearance or otherwise) - they check it against what they already have and what they get from other agencies and your references and follow up if there are significant changes/differences.

    3. Re:They hired a low bid contractor! by bitingduck · · Score: 1

      Yes I do. And if you think you haven't lost SSN; or the equivalent in your country; age, sex, address, and other information from banks, retailers and other companies you are naive.

      The OPM breach is a whole lot more than that for anybody with a clearance. It includes lists of friends, neighbors, associates, their contact information, things that they know about you that may not be in any database, how long they've known you, plus financial information, in some cases medical information, all neatly collated and verified for millions of people.

    4. Re:They hired a low bid contractor! by Spazmania · · Score: 3, Insightful

      You've never filled out an SF86, have you? No one else has that much information about you all in one file. Not even your relatives. A private investigator could get most of it, but it would be expensive to track down.

      No one else except the Chinese apparently. :(

      --
      Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
    5. Re:They hired a low bid contractor! by bitingduck · · Score: 1

      Not too much of a difference these days that I can see. Except in the case of the government you, at least theoretically, have Constitutional protections.

      The SC has said very little about privacy in the last many decades, but the basic principle is that you have no right to privacy for information that has ever been shared with anyone else. So you have no constitutional protections. You have some *very* weak protections through the privacy act. Depending on what state you live in, you likely have more legal protection in the case of data breaches at private companies.

  4. Follow the $ by rfengr · · Score: 2

    Delayed long enough for OPM beurocrats to retire and form Identity Theft Guard Solutions LLC to make bank?

  5. Need legislation to fix ID theft NOW by PeterM+from+Berkeley · · Score: 4, Insightful

    The fact that ID theft is a problem for consumers is mostly CROCK.

    Why should lenders be allowed to commit libel WITH IMPUNITY against innocent consumers?

    It is THEIR fault they didn't bother doing MINIMUM DUE DILIGENCE before loaning someone money!

    What kind of IDIOT gives out money without VERIFYING who they are giving it to? Does ANYONE think that a SSN and DoB are "verification" of identity?

    Companies and people should NOT be able to use credit reporting agencies to libel someone whose identity they haven't positively established with IMPUNITY.

    Congress should IMMEDIATELY pass a law that if a lender can't provide POSITIVE PROOF that the person whose reputation they are trashing is in fact the SELF SAME person who they loaned money to, they should not be allowed to:

    1) Put ANY adverse information in their credit report
    2) Make ANY attempt to continue collection after the person asserts ONCE that he wasn't the person they loaned the money to

    It should NEVER have been allowed that lenders get a free pass to be careless with THEIR money and then impose ANY of the cost of being defrauded due to THEIR OWN NEGLIGENCE on the innocent.

    Write Congress on this one, folks!

    Also, lawyers, how about a class action lawsuit against lenders for libel?

    Best,

    --PeterM

    1. Re:Need legislation to fix ID theft NOW by sociocapitalist · · Score: 1

      While you're writing letters the banking lobby is either buying off those same officials one way or another.

      That, or convincing them that the economy is too important and too fragile to allow lending institutions to take the hit.

      You'd do better to stop borrowing so much and invest in bank stocks.

      --
      blindly antisocialist = antisocial
    2. Re:Need legislation to fix ID theft NOW by jwdb · · Score: 1

      That solves the problem for some people, but not for those in my situation - I just moved across the country. People from other countries already face this problem: they have no US credit history, so for years they're screwed as far as credit is concerned.

      I must admit that I don't know what to do about it, however. I can see the system is broken, but I don't know how to fix it. The European (well, Belgian as far as I know) solution is to not have credit history at all and instead to have far stricter bankruptcy laws, but those laws are a ball and chain around the country's entrepreneurs.

    3. Re:Need legislation to fix ID theft NOW by Bob+the+Super+Hamste · · Score: 1

      Maybe presenting proof of identification in person. I would suggest a government issued identification card like a divers license, or passport. Additionally that information should be verifiable against a database. So you hand over a your drivers license to a bank they look at the picture and verify that your picture matches that face that is looking at them then they enter the license number and state into the DB and up pops the picture on record as well as the other information on the license and they verify that it matches the picture on the license that they just verified matches your face. For their own records the lending institution should have to keep a picture of the identifying document you presented as well as the picture of you on the day you arrived so that if there is a question about the authenticity of the loan they can present this information.

      Another idea would be for some sort of government managed PKI system for the general population where the individual never shares the private key with the government. I can sign and/or encrypt e-mails at work using a PKI system, and in Europe* their credit cards make use of a PKI system so why can't the same be done in the US at a national level.

      *Yes I know there is something similar here in the us that is being rolled out but chip and pin is better than the stupid chip and sign.

      --
      Time to offend someone
  6. Hard to contact people with bad information by jfdavis668 · · Score: 4, Insightful

    We had a data breech of personal data, and needed to contact all those involved. When we obtained everyone's email and mailing address, we were surprised how bad the data was, particularly anyone who left. One person moved to Melbourne, Austria. Other addresses were town name only, no state or zip. Whoever entered it just thought it was obvious where that town was. Email servers are shut down and replaced, or departments reorganized, and everyone's email changes. No one thinks to tell the personnel department about these changes. Then, when you have a need for the data, you find half of it out of date. When there is no problem, no one pays attention to the data and tries to fix the problems.

  7. Re:Identity theft insurnce by jimbolauski · · Score: 2

    The good news is that data from the OPM hack has not been spotted for sale, this is likely because the OPM data is being used by the Chinese for espionage. The Chinese don't want your identity they want to know how they can approach you to get classified information.

    --
    Knowledge = Power
    P= W/t
    t=Money
    Money = Work/Knowledge so the less you know the more you make
  8. Some notifications already out by SuperKendall · · Score: 4, Informative

    The article summary makes it seem as if no-one has been notified, but I know at least one person who works for the federal government that was notified a week or so after the leak was revealed (and given information about the credit monitoring agency).

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
    1. Re:Some notifications already out by evendiagram · · Score: 1

      As someone awaiting the results of the 2nd OPM breach, it was slightly confusing internally as well. The first OPM breach was announced on June 4th, 2015 with the second breach announced on June 12th. Notifications and credit monitoring service information was released on a rolling basis from June 8th to June 19th. I'm assuming the 2nd was of a much larger scale.

    2. Re:Some notifications already out by evendiagram · · Score: 1

      Correction: Notifications and credit monitoring service information for the first OPM incident was released on a rolling basis from June 8th to June 19th.

    3. Re:Some notifications already out by bitingduck · · Score: 3, Informative

      The first one was about 4M people, all direct USG employees. The second was at least 22M people, a very large fraction of whom are contractors who work for companies of various sizes and need regular access to USG facilities or sensitive information. It's more significant information about many more people, and they've done pretty much nothing about it other than blame China for doing exactly the same thing the the US would have done (and may have...)

  9. Notification from OPM by Anonymous Coward · · Score: 1

    Plenty of blame to go around here, but in the interest of accuracy, both my spouse and I received detailed notification from OPM over a month ago. So far, no damage done and the notification did provide instructions on implementation of ID protection.

  10. Re:If one refuses to be proactive ... by Ol+Olsoc · · Score: 2

    .. don't get your name, your photo, or anything that has anything to related to you, online - or even in a database, anywhere

    Better move to Idaho, and build a compound. Oh wait - you'll still be in someone's database.

    --
    The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
  11. Over 20 million employees? by CCarrot · · Score: 2

    The most shocking statement in this article, to me, is that there are more than 20 million government employees in the US...that's over half the population of Canada!

    Granted, that's only about 6% of the population of the US, but still...wow...that's a pretty high MER.

    --
    "I love animals! Some are cute, others are tasty, what's not to like?" - Betsy Schroeder, Jeopardy contestant
    1. Re:Over 20 million employees? by Anonymous Coward · · Score: 1

      That's a bit misleading, there are NOT more than 20 million government employees in the US. According to OPM, the Federal workforce totaled 4,185k people in 2014, including the military. (https://www.opm.gov/policy-data-oversight/data-analysis-documentation/federal-employment-reports/historical-tables/total-government-employment-since-1962/)

      Regarding the breech discovered in June 2015, read the OPM press release:
      OPM and the interagency incident response team have concluded with high confidence that sensitive information, including the Social Security Numbers (SSNs) of 21.5 million individuals, was stolen from the background investigation databases. This includes 19.7 million individuals that applied for a background investigation, and 1.8 million non-applicants, primarily spouses or co-habitants of applicants. Some records also include findings from interviews conducted by background investigators and approximately 1.1 million include fingerprints. Usernames and passwords that background investigation applicants used to fill out their background investigation forms were also stolen. Notifications for this incident have not yet begun.

      Yes, it's a travesty and has been handled poorly. As one of the affected individuals, my employer is providing identity theft protection at their expense.

    2. Re:Over 20 million employees? by bitingduck · · Score: 1

      The most shocking statement in this article, to me, is that there are more than 20 million government employees in the US...that's over half the population of Canada!

      It's not 20M current employees.

      It's everybody who's worked directly for the government or worked as a contractor who needed regulary access to a government facility or needed a security clearance (probably mostly contractors) since 2000, and maybe before. And people who applied in that period and got as far as the investigation forms and were declined. It's everyone who filled out one of three forms: SF-85 (people in non-sensitive positions), SF-85P (people in "public trust" but not national security positions, and SF-86 (security clearances secret or higher), including all the information from the investigation.

    3. Re:Over 20 million employees? by CCarrot · · Score: 1

      Ah, okay then, that makes more sense! Thanks for the clarification!

      Just over 4000 people is a lot better than 20 million, but the number of people who apply to government position (the reason, I assume, why they'd want a background investigation?) is still impressive! Or, as a previous poster mentioned, perhaps it simply included a *lot* of historical data.

      Whoops, I see another poster mentioned that if you just want to want to work on a government contract, you would need the background investigation through E-QUIP. Now the numbers start to look reasonable, even if their actions are not.

      Good luck with this, glad your employer is stepping up for you guys!

      --
      "I love animals! Some are cute, others are tasty, what's not to like?" - Betsy Schroeder, Jeopardy contestant
    4. Re:Over 20 million employees? by Spazmania · · Score: 1

      That was 4.2 miliion, not 4.2 thousand.

      The 22 million is folks listed on forms by individuals who applied for a government security clearance. That's employees, contractors and all of their immediate family.

      That having been said, nearly 40 million people in the US either work for the government as employees or work for them indirectly under one contract or another.

      https://markstoval.wordpress.c...

      --
      Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
    5. Re:Over 20 million employees? by CCarrot · · Score: 1

      The most shocking statement in this article, to me, is that there are more than 20 million government employees in the US...that's over half the population of Canada!

      It's not 20M current employees.

      It's everybody who's worked directly for the government or worked as a contractor who needed regulary access to a government facility or needed a security clearance (probably mostly contractors) since 2000, and maybe before. And people who applied in that period and got as far as the investigation forms and were declined. It's everyone who filled out one of three forms: SF-85 (people in non-sensitive positions), SF-85P (people in "public trust" but not national security positions, and SF-86 (security clearances secret or higher), including all the information from the investigation.

      Wow, that is a much wider range than just 'government employees'. 20 million definitely starts to make sense in that context, even if their refusal to deal with the situation doesn't.

      --
      "I love animals! Some are cute, others are tasty, what's not to like?" - Betsy Schroeder, Jeopardy contestant
    6. Re:Over 20 million employees? by CCarrot · · Score: 1

      That was 4.2 miliion, not 4.2 thousand.

      The 22 million is folks listed on forms by individuals who applied for a government security clearance. That's employees, contractors and all of their immediate family.

      That having been said, nearly 40 million people in the US either work for the government as employees or work for them indirectly under one contract or another.

      https://markstoval.wordpress.c...

      Whoops, sorry, reading comprehension fail :)

      40 million direct and indirect employees, though...wow. 12.5% of the population. How much are your income taxes again? Not that Canada's doing any better in that regard. I'd be curious to see what the comparative numbers north of the border are...

      --
      "I love animals! Some are cute, others are tasty, what's not to like?" - Betsy Schroeder, Jeopardy contestant
    7. Re:Over 20 million employees? by gymell · · Score: 1

      I've never been a government employee, but I am a contractor who worked for a subcontractor on a project that required a security clearance. So I had to submit a form SF-86 and this means that my data is part of this hacking. I've yet to receive any official notification about it.

    8. Re:Over 20 million employees? by superwiz · · Score: 1

      I actually thought the 6% figure was shocking. Government employees (past and present) account for ~20% of the US GDP. This figure doesn't take into account the money paid by the government to other citizens (then the figure goes up to 35%). So if 6% of the population were consuming 20% of the GDP, they'd be considered a fairly wealthy class. Turns out it's less than 6% of the population (almost none of the past government contractors are on government pensions).

      --
      Any guest worker system is indistinguishable from indentured servitude.
    9. Re:Over 20 million employees? by bitingduck · · Score: 1

      You would be safe in assuming your wife's data was also taken: https://www.opm.gov/cybersecur...

      Scroll down to "how you may be affected"

  12. Re:Will notifications make it worse by bitingduck · · Score: 1

    They should just contract with whoever boosted the data - they have everything they need to verify that they've contact the correct people and probably have more interest in knowing your current address than OPM does.

  13. well, maybe by superwiz · · Score: 1

    maybe they are just negotiating with the individuals in possession of the information to um... sort it out so that the government itself can have efficient access to it? maybe even make it... umm... searchable... so they can figure out who's who? probably cheaper to pay terrorists to do it than the government contractors.

    --
    Any guest worker system is indistinguishable from indentured servitude.
  14. erm by Aryden · · Score: 1

    I got my notification as did everyone else in my office.