Month: June 2015

The short answer is no. Just because someone made off with data on millions of employees, retirees and others it does not give anyone a free pass on protecting employee data.

Like most people who pay attention to the goings on in government, I have been watching, reading and listening to the news about the OPM data breach. I have done a bit more than “pay attention” because I spent many years as a Federal employee. Last week I received my notice that my data had been compromised. For anyone who wonders what such a notice says, here it is:

I am writing to inform you that the U.S. Office of Personnel Management (OPM) recently became aware of a cybersecurity incident affecting its systems and data that may have exposed your personal information.

Since the incident was identified, OPM has partnered with the U.S. Department of Homeland Security’s U.S. Computer Emergency Readiness Team (US-CERT) to determine the impact to Federal personnel. OPM immediately implemented additional security measures and will continue to improve the security of the sensitive information we manage.

You are receiving this notification because we have determined that the data compromised in this incident may have included your personal information, such as your name, Social Security number, date and place of birth, and current or former address.  To help ensure your privacy, upon your next login to OPM systems, you may be required to change your password.

OPM takes very seriously its responsibility to protect your information. While we are not aware of any misuse of your information, in order to mitigate the risk of potential fraud and identity theft, we are offering you credit monitoring service and identity theft insurance through CSID, a company that specializes in identity theft protection and fraud resolution.  All potentially affected individuals will receive a complimentary subscription to CSID Protector Plus for 18 months.  Every affected individual, regardless of whether or not they explicitly take action to enroll, will have $1 million of identity theft insurance and access to full-service identity restoration provided by CSID until 12/7/16.

To access the trusted pages that will facilitate enrollment into this identity protection service, type or paste the following website into your browser: https://www.csid.com/opm

You will need to use the PIN code at the top of this correspondence to enroll in these services. Individuals can also contact CSID with any questions about these free services by calling this toll free number, 844-777-2743 (International callers: call collect at 512-327-0705). 

Protector Plus coverage includes:

• Credit Report and Monitoring: Includes a TransUnion® credit report and tri-bureau monitoring for credit inquiries, delinquencies, judgments and liens, bankruptcies, new loans and more
• CyberAgent® Internet Surveillance: Monitors websites, chat rooms and bulletin boards 24/7 to identify trading or selling of your personal information
• Identity Theft Insurance: Reimburses you for certain expenses in the event that your identity is compromised with a $1,000,000 insurance policy
• Court and Public Records Monitoring: Know if your name, date of birth and Social Security number appear in court records for an offense that you did not commit
• Non-Credit Loan Monitoring: Know if your personal information becomes linked to short-term, high-interest payday loans that do not require credit inquiries
• Change of Address Monitoring: Monitor to see if someone has redirected your mail
• Social Security Number Trace: Know if your Social Security number becomes associated with another individual’s name or address
• Sex Offender Monitoring: Know if sex offenders reside in your zip code, and ensure that your identity isn’t being used fraudulently in the sex offender registry
• Full-Service Identity Restoration: Work with a certified identity theft restoration specialist to restore your ID if you experience any fraud associated with your personal information

These services are offered as a convenience to you. However, nothing in this letter should be construed as OPM or the U.S. Government accepting liability for any of the matters covered by this letter or for any other purpose. Any alleged issues of liability concerning OPM or the United States for the matters covered by this letter or for any other purpose are determined solely in conformance with appropriate Federal law. Please note that these services are offered to the specific addressee of this letter and are not available to anyone other than the individual who received this notification.
 
We regret this incident. Please be assured that OPM remains deeply committed to protecting the privacy and security of information and has taken appropriate steps to respond to this intrusion. The incident was uncovered as a result of OPM’s aggressive effort to update its cybersecurity posture over the past year, including the addition of numerous tools and capabilities to its networks that both help detect and deter a cyber-attack.
 
Please note that neither OPM nor any company acting on OPM’s behalf will contact you to confirm any personal information. If you are contacted by anyone purporting to represent OPM and asking for your personal information, do not provide it.
 
To learn more and enroll, visit CSID’s website at https://www.csid.com/opm
 
Sincerely, Donna K. Seymour
Chief Information Officer
U.S. Office of Personnel Management

We still do not know everything we need to know about the breach. I am particularly concerned by news reports (not confirmed by OPM) that it may include both data and images from the Electronic OPF (EOPF). The many forms in the EOPF include some that are created as hard copy forms for a pen and ink signature, then scanned into EOPF. Among the most worrisome of those forms is the Federal Employees Group Life Insurance Designation of Beneficiary (SF-2823). That form not only has an employee or retiree’s personal information, it also includes the name, address and social security number of all of their beneficiaries. If EOPF is among the systems that were hacked, the problem becomes much messier. It is easy to identify the Personally Identifiable Information (PII) in most systems. It is simply a matter of looking at data elements to see which contain PII. For data stored as images, it is a bit more difficult to identify all of the PII they contain, but it is possible. The good news is that is also a bit harder for the people who stole the information to extract it.

Another bit of good news is that critical employee information is now being viewed differently. We must guard though against the bureaucratic tendency to pay attention to an issue only while the press, the White House and the Congress are asking questions. It is easy to slip back into complacency after the noise dies down. We cannot let that happen.

As bad as this breach is, it is far from the end of the story. Agencies continue to hire new employees whose data has not been stolen. The people who committed this breach will want to continue gathering information. There are still criminals who want employee PII for fraud and identity theft. The people who want to get this type of information will continue attempting to hack government systems every day, just as they have for many years.  Because they are not going to stop, agencies have to start treating HR systems as mission critical and safeguarding them as though their mission success depends on it – because it does.

The Office of Personnel Management’s recent disclosure of a massive cyber breach highlights the risks of systems that contain Personally Identifiable Information (PII). OPM is a target for these types of attacks because it houses enormous amounts of PII. The nature of OPM’s work is such that it is impossible for them to avoid storing PII on everyone in the Federal government and on all Federal retirees. OPM maintains health and life insurance and retirement systems, along with a massive database of background investigation data. Their mission ensures they are always going to be a target.

OPM is not the only Federal agency that maintains large stores of PII. Every agency has to have records on its employees. Those records include name, address, date of birth, social security number, names of their immediate family members (on beneficiary forms), places they have previously lived (in investigative records and payroll/personnel history files), and much more private information. In fact, virtually every bit of information someone needs to steal the identity of a Federal employee, ruin their credit and cause massive disruption to their lives is sitting in Federal human resources systems.

The amount of PII housed by human resources organizations might lead one to think – “How many cybersecurity employees do most HR organizations have?” The answer might surprise most readers, because it is none. Agencies typically rely on their Chief  Information Officer and security staff, along with the Federal Bureau of Investigation and The Department of Homeland Security, to provide services needed to protect data and recover from breaches. They generally assume the providers of systems they buy will ensure those systems are secure. While it is clearly not the mission of HR to provide cybersecurity services, it is their mission to guard the PII they obtain from employees. We should rethink how HR approaches this responsibility and consider placing assets from the Chief Information Officer’s team (or whichever organization the agency assigns cybersecurity to) in the HR office. Embedding some of those resources in the HR team (while organizationally remaining attached to the CIO) will give them a far better picture of the types of data being gathered, how it is used, and what is happening to it.

We have to accept the fact that the cyber realm is the next great battlefield. So much of our world is now driven by information technology that it has become a highly effective method of attack. Bad actors, whether they be states or criminals, are going to continue to find ways to exploit weaknesses in systems. There is no way to avoid having large stores of data, and there is no way to guarantee they will never be hacked. We cannot have perfect cybersecurity, but we can have effective cybersecurity. Agencies that view cyber security as nothing more than a compliance exercise, where they make certain their employees complete a few minutes of annual training and they install updates as vendors provide them, are putting themselves and their workforce at risk.

That workforce risk is substantial. Although agencies generally worry more about mission systems than workforce data, the harm that can be caused to employees is a mission risk. If employees are worried about their financial and personal information being disclosed, they may be less productive or unwilling to remain in government. If deeply personal information included in security questionnaires is stolen, they may be subject to blackmail. If their identities are stolen or they suffer financial harm, they may be more susceptible to being lured into disclosing agency information for money. Disrupting the workforce could be a very effective means of disrupting an agency’s operations. The OPM breach highlights the risk of HR systems and may encourage others to go after employee data. The number of HR systems is mind-boggling. In DHS alone, in 2011 we had almost 400 different HR systems. While not all of them contained PII, many do. Agencies must ensure they are using the most current tools and practices for intrusion detection and response, identity management, credentialing and access management for any HR system that includes PII. HR systems need to be treated as the mission critical systems they are.

If we recognize the certainty of continued cyber attacks and the likelihood of another breach, what can we do to reduce the risk of personal harm? Obviously better cybersecurity is the first step. Agencies have to do a better job of protecting the information they gather and produce. Because we know breaches will still occur, we need to do more help employees be prepared. That means securing employee data and providing employees with the training and tools they need to protect themselves. Here are three steps that would move us in the right direction:

• Disclose breaches as soon as it is operationally possible to do so. The breach at OPM occurred in December 2014, was discovered in April 2015 and was disclosed in June 2015. Agencies may have legitimate security reasons for not immediately disclosing a breach, but delays in disclosure must be based on security risks and not on political and public relations concerns.
• Provide better training to employees to protect their own data and to recognize threats that may occur when their PII is stolen. For example, most people use simple passwords and use the same password repeatedly in every system they access. If their information is stolen from one system, the thieves have a head start on accessing other systems because they already have the employee’s overused password. Bad actors will continue refining their approaches, but that does not mean we have to hand our information to them on a silver platter.
• Provide ongoing credit monitoring services for all Federal employees. Because they work for the United States government, Federal workers will always be in the crosshairs of our enemies. They cannot refuse to provide PII to their employer, and the steps they can take on their own to protect data are limited. Credit monitoring does not protect data, but it does help employees to discover the threats to their financial security that data theft can produce, even when a breach has not been discovered or disclosed.

Cybersecurity is an ongoing concern that will never go away. As our dependence on technology grows, so will the efforts of people with bad intent. Federal workers need to know that their employer is doing everything that it can to protect their information and has taken steps to protect them from data theft even when the government does not know it has happened.