Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Compare cell phone plans using Wirefly's innovative plan comparison tool ×
Security United States

Government Still Hasn't Notified Individuals Whose Personal Data Was Hacked 71

schwit1 writes: Months after the federal government admitted publicly that the personal data of more than 20 million government employees had been hacked they still have not sent notifications to those millions. The agency whose data was hacked, the Office of Personnel Management (OPM), said the Defense Department will begin "later this month" to notify employees and contractors across the government that their personal information was accessed by hackers. OPM said notifications would continue over several weeks and "will be sent directly to impacted individuals." OPM also announced that it hired a contractor to help protect the identities and credit ratings of employees whose data was hacked. In a statement, OPM said it had awarded a contract initially worth more than $133 million to a company called Identity Theft Guard Solutions LLC, doing business as ID experts, for identity theft protections for the 21.5 million victims of the security data breach. The contractor will provide credit and identity monitoring services for three years, as well as identity theft insurance, to affected individuals and dependent children aged under 18, the agency said.
This discussion has been archived. No new comments can be posted.

Government Still Hasn't Notified Individuals Whose Personal Data Was Hacked

Comments Filter:
  • by trout007 ( 975317 ) on Thursday September 03, 2015 @07:42AM (#50450079)

    We had some idiot in our HR department of a US Government Agency with everyones personal information on their unencrypted laptop. Of course they left it in the back seat of their car and it was stolen. Nobody fired or demoted.

    We also had our IT department send out an e-mail from a fake IP saying to follow a link to test the strength of your password. Something like 35% of the people fell for it.

    Meanwhile I can't get the software I need to perform the work I am hired to do becaue I have so much crap running in the background of my machine that it's completely unstable.

    • Of course they left it in the back seat of their car and it was stolen. Nobody fired or demoted.

      and

      Meanwhile I can't get the software I need to perform the work I am hired to do becaue I have so much crap running in the background of my machine that it's completely unstable.

      Anytime, anywhere, anything like this happens, the people who had nothing at all to do with it are the one's that get punished.

    • by Anonymous Coward

      Devil's advocate:

      The problem with government is that it is perceived as uncool to work for, so all the top notch IT talent is either gone or surrounded by people less experienced that make the decisions. Contractors can help... but to someone who isn't versed in the industry, how can one tell a security contractor who knows their stuff, versus a lot of "suit wearing chatter monkeys". Try hiring another contractor to check the work of the first, and you run into collusion issues.

      Then add the fact that hiri

    • Well it's worse now.

      It wasn't clear if that laptop had all the content of the SF-85/85P/86 forms, I don't think they admitted to it being more than the information they used as default passwords for the eQIP system plus basic ID information of who they belonged to. The OPM breach is the complete contents of the forms that everyone filled out since 2000, plus all the investigation data (not much if you're an SF-85, but potentially quite a lot if you're an SF-86). And they had such poor security that they pr

    • by antdude ( 79039 )

      Do you have access to disable and uninstall them?

  • by burtosis ( 1124179 ) on Thursday September 03, 2015 @07:48AM (#50450099)
    Given this opm hack along with Ashley Madison and other cross correlating data that's been hacked, id assume the bigger threat is blackmail here. Sadly data security, even on sensitive military databases, is neglected and not even up to the crappy standards of many businesses.
  • I feel so much better now. Because we all know the private sector is so good at security. And their diligent employees never walk out the door with sensitive information.

    • by Spazmania ( 174582 ) on Thursday September 03, 2015 @11:24AM (#50451383) Homepage

      You've never filled out an SF86, have you? No one else has that much information about you all in one file. Not even your relatives. A private investigator could get most of it, but it would be expensive to track down.

      No one else except the Chinese apparently. :(

      • by plopez ( 54068 )

        Yes I have, I doubtless have been compromised. I have also applied for a loan, filled out medical forms, registered to vote, registered a motor vehicle etc. There is nothing on the form my employer does NOT have. My employer has work history, next of kin, passport number, proof of citizenship, residence information, reference, military service, and medical information via our health plans.

        Not too much of a difference these days that I can see. Except in the case of the government you, at least theoretically

        • Not too much of a difference these days that I can see. Except in the case of the government you, at least theoretically, have Constitutional protections.

          The SC has said very little about privacy in the last many decades, but the basic principle is that you have no right to privacy for information that has ever been shared with anyone else. So you have no constitutional protections. You have some *very* weak protections through the privacy act. Depending on what state you live in, you likely have more legal protection in the case of data breaches at private companies.

  • by rfengr ( 910026 ) on Thursday September 03, 2015 @08:03AM (#50450139)
    Delayed long enough for OPM beurocrats to retire and form Identity Theft Guard Solutions LLC to make bank?
  • The fact that ID theft is a problem for consumers is mostly CROCK.

    Why should lenders be allowed to commit libel WITH IMPUNITY against innocent consumers?

    It is THEIR fault they didn't bother doing MINIMUM DUE DILIGENCE before loaning someone money!

    What kind of IDIOT gives out money without VERIFYING who they are giving it to? Does ANYONE think that a SSN and DoB are "verification" of identity?

    Companies and people should NOT be able to use credit reporting agencies to libel someone whose identity they haven't positively established with IMPUNITY.

    Congress should IMMEDIATELY pass a law that if a lender can't provide POSITIVE PROOF that the person whose reputation they are trashing is in fact the SELF SAME person who they loaned money to, they should not be allowed to:

    1) Put ANY adverse information in their credit report
    2) Make ANY attempt to continue collection after the person asserts ONCE that he wasn't the person they loaned the money to

    It should NEVER have been allowed that lenders get a free pass to be careless with THEIR money and then impose ANY of the cost of being defrauded due to THEIR OWN NEGLIGENCE on the innocent.

    Write Congress on this one, folks!

    Also, lawyers, how about a class action lawsuit against lenders for libel?

    Best,

    --PeterM

    • While you're writing letters the banking lobby is either buying off those same officials one way or another.

      That, or convincing them that the economy is too important and too fragile to allow lending institutions to take the hit.

      You'd do better to stop borrowing so much and invest in bank stocks.

  • by jfdavis668 ( 1414919 ) on Thursday September 03, 2015 @08:34AM (#50450221)
    We had a data breech of personal data, and needed to contact all those involved. When we obtained everyone's email and mailing address, we were surprised how bad the data was, particularly anyone who left. One person moved to Melbourne, Austria. Other addresses were town name only, no state or zip. Whoever entered it just thought it was obvious where that town was. Email servers are shut down and replaced, or departments reorganized, and everyone's email changes. No one thinks to tell the personnel department about these changes. Then, when you have a need for the data, you find half of it out of date. When there is no problem, no one pays attention to the data and tries to fix the problems.
  • by SuperKendall ( 25149 ) on Thursday September 03, 2015 @09:19AM (#50450441)

    The article summary makes it seem as if no-one has been notified, but I know at least one person who works for the federal government that was notified a week or so after the leak was revealed (and given information about the credit monitoring agency).

    • As someone awaiting the results of the 2nd OPM breach, it was slightly confusing internally as well. The first OPM breach was announced on June 4th, 2015 with the second breach announced on June 12th. Notifications and credit monitoring service information was released on a rolling basis from June 8th to June 19th. I'm assuming the 2nd was of a much larger scale.
      • Correction: Notifications and credit monitoring service information for the first OPM incident was released on a rolling basis from June 8th to June 19th.
      • by bitingduck ( 810730 ) on Thursday September 03, 2015 @11:11AM (#50451245) Homepage

        The first one was about 4M people, all direct USG employees. The second was at least 22M people, a very large fraction of whom are contractors who work for companies of various sizes and need regular access to USG facilities or sensitive information. It's more significant information about many more people, and they've done pretty much nothing about it other than blame China for doing exactly the same thing the the US would have done (and may have...)

  • by Anonymous Coward

    Plenty of blame to go around here, but in the interest of accuracy, both my spouse and I received detailed notification from OPM over a month ago. So far, no damage done and the notification did provide instructions on implementation of ID protection.

  • by CCarrot ( 1562079 ) on Thursday September 03, 2015 @10:05AM (#50450743)

    The most shocking statement in this article, to me, is that there are more than 20 million government employees in the US...that's over half the population of Canada!

    Granted, that's only about 6% of the population of the US, but still...wow...that's a pretty high MER.

    • by Anonymous Coward

      That's a bit misleading, there are NOT more than 20 million government employees in the US. According to OPM, the Federal workforce totaled 4,185k people in 2014, including the military. (https://www.opm.gov/policy-data-oversight/data-analysis-documentation/federal-employment-reports/historical-tables/total-government-employment-since-1962/)

      Regarding the breech discovered in June 2015, read the OPM press release:
      OPM and the interagency incident response team have concluded with high confidence that sensitiv

      • Ah, okay then, that makes more sense! Thanks for the clarification!

        Just over 4000 people is a lot better than 20 million, but the number of people who apply to government position (the reason, I assume, why they'd want a background investigation?) is still impressive! Or, as a previous poster mentioned, perhaps it simply included a *lot* of historical data.

        Whoops, I see another poster mentioned that if you just want to want to work on a government contract, you would need the background investigation thro

        • That was 4.2 miliion, not 4.2 thousand.

          The 22 million is folks listed on forms by individuals who applied for a government security clearance. That's employees, contractors and all of their immediate family.

          That having been said, nearly 40 million people in the US either work for the government as employees or work for them indirectly under one contract or another.

          https://markstoval.wordpress.c... [wordpress.com]

          • That was 4.2 miliion, not 4.2 thousand.

            The 22 million is folks listed on forms by individuals who applied for a government security clearance. That's employees, contractors and all of their immediate family.

            That having been said, nearly 40 million people in the US either work for the government as employees or work for them indirectly under one contract or another.

            https://markstoval.wordpress.c... [wordpress.com]

            Whoops, sorry, reading comprehension fail :)

            40 million direct and indirect employees, though...wow. 12.5% of the population. How much are your income taxes again? Not that Canada's doing any better in that regard. I'd be curious to see what the comparative numbers north of the border are...

    • The most shocking statement in this article, to me, is that there are more than 20 million government employees in the US...that's over half the population of Canada!

      It's not 20M current employees.

      It's everybody who's worked directly for the government or worked as a contractor who needed regulary access to a government facility or needed a security clearance (probably mostly contractors) since 2000, and maybe before. And people who applied in that period and got as far as the investigation forms and were declined. It's everyone who filled out one of three forms: SF-85 (people in non-sensitive positions), SF-85P (people in "public trust" but not national security posi

      • The most shocking statement in this article, to me, is that there are more than 20 million government employees in the US...that's over half the population of Canada!

        It's not 20M current employees.

        It's everybody who's worked directly for the government or worked as a contractor who needed regulary access to a government facility or needed a security clearance (probably mostly contractors) since 2000, and maybe before. And people who applied in that period and got as far as the investigation forms and were declined. It's everyone who filled out one of three forms: SF-85 (people in non-sensitive positions), SF-85P (people in "public trust" but not national security positions, and SF-86 (security clearances secret or higher), including all the information from the investigation.

        Wow, that is a much wider range than just 'government employees'. 20 million definitely starts to make sense in that context, even if their refusal to deal with the situation doesn't.

    • by gymell ( 668626 )
      I've never been a government employee, but I am a contractor who worked for a subcontractor on a project that required a security clearance. So I had to submit a form SF-86 and this means that my data is part of this hacking. I've yet to receive any official notification about it.
  • maybe they are just negotiating with the individuals in possession of the information to um... sort it out so that the government itself can have efficient access to it? maybe even make it... umm... searchable... so they can figure out who's who? probably cheaper to pay terrorists to do it than the government contractors.
  • by Aryden ( 1872756 )
    I got my notification as did everyone else in my office.

Despite all appearances, your boss is a thinking, feeling, human being.

Working...