Government Still Hasn't Notified Individuals Whose Personal Data Was Hacked

schwit1 writes: Months after the federal government admitted publicly that the personal data of more than 20 million government employees had been hacked they still have not sent notifications to those millions. The agency whose data was hacked, the Office of Personnel Management (OPM), said the Defense Department will begin "later this month" to notify employees and contractors across the government that their personal information was accessed by hackers. OPM said notifications would continue over several weeks and "will be sent directly to impacted individuals." OPM also announced that it hired a contractor to help protect the identities and credit ratings of employees whose data was hacked. In a statement, OPM said it had awarded a contract initially worth more than $133 million to a company called Identity Theft Guard Solutions LLC, doing business as ID experts, for identity theft protections for the 21.5 million victims of the security data breach. The contractor will provide credit and identity monitoring services for three years, as well as identity theft insurance, to affected individuals and dependent children aged under 18, the agency said.

Re:

[Ol Olsoc]

.. don't get your name, your photo, or anything that has anything to related to you, online - or even in a database, anywhere

Better move to Idaho, and build a compound. Oh wait - you'll still be in someone's database.

Assume it's all out there.

[trout007]

We had some idiot in our HR department of a US Government Agency with everyones personal information on their unencrypted laptop. Of course they left it in the back seat of their car and it was stolen. Nobody fired or demoted.

We also had our IT department send out an e-mail from a fake IP saying to follow a link to test the strength of your password. Something like 35% of the people fell for it.

Meanwhile I can't get the software I need to perform the work I am hired to do becaue I have so much crap running in the background of my machine that it's completely unstable.

Re:

[trout007]

Right. Not sure what the right term is. The link text looked legit but if you looked at the link itself it was something else. Here is the link
http://passwordtest.it-securit... [it-security-group.com]

Re:

[Ol Olsoc]

Of course they left it in the back seat of their car and it was stolen. Nobody fired or demoted.

and

Meanwhile I can't get the software I need to perform the work I am hired to do becaue I have so much crap running in the background of my machine that it's completely unstable.

Anytime, anywhere, anything like this happens, the people who had nothing at all to do with it are the one's that get punished.

Re:

[Anonymous Coward]

Devil's advocate:

The problem with government is that it is perceived as uncool to work for, so all the top notch IT talent is either gone or surrounded by people less experienced that make the decisions. Contractors can help... but to someone who isn't versed in the industry, how can one tell a security contractor who knows their stuff, versus a lot of "suit wearing chatter monkeys". Try hiring another contractor to check the work of the first, and you run into collusion issues.

Then add the fact that hiri

Re:

[bitingduck]

Well it's worse now.

It wasn't clear if that laptop had all the content of the SF-85/85P/86 forms, I don't think they admitted to it being more than the information they used as default passwords for the eQIP system plus basic ID information of who they belonged to. The OPM breach is the complete contents of the forms that everyone filled out since 2000, plus all the investigation data (not much if you're an SF-85, but potentially quite a lot if you're an SF-86). And they had such poor security that they pr

Re:

[antdude]

Do you have access to disable and uninstall them?

Re:

[jimbolauski]

The good news is that data from the OPM hack has not been spotted for sale, this is likely because the OPM data is being used by the Chinese for espionage. The Chinese don't want your identity they want to know how they can approach you to get classified information.

Identity theft? Try blackmail mitigation instead..

[burtosis]

Given this opm hack along with Ashley Madison and other cross correlating data that's been hacked, id assume the bigger threat is blackmail here. Sadly data security, even on sensitive military databases, is neglected and not even up to the crappy standards of many businesses.

They hired a low bid contractor!

[plopez]

I feel so much better now. Because we all know the private sector is so good at security. And their diligent employees never walk out the door with sensitive information.

Re:

[plopez]

Yes I do. And if you think you haven't lost SSN; or the equivalent in your country; age, sex, address, and other information from banks, retailers and other companies you are naive.

Re:

[bitingduck]

Yes I do. And if you think you haven't lost SSN; or the equivalent in your country; age, sex, address, and other information from banks, retailers and other companies you are naive.

The OPM breach is a whole lot more than that for anybody with a clearance. It includes lists of friends, neighbors, associates, their contact information, things that they know about you that may not be in any database, how long they've known you, plus financial information, in some cases medical information, all neatly collated and verified for millions of people.

Re:

[bitingduck]

This isn't credit card data we're talking about here, this is just about all the information you can get on someone.

And has been collated and verified through alternate sources. It's not like you can give a bunch of fake information every time you renew your access (security clearance or otherwise) - they check it against what they already have and what they get from other agencies and your references and follow up if there are significant changes/differences.

Re:They hired a low bid contractor!

[Spazmania]

You've never filled out an SF86, have you? No one else has that much information about you all in one file. Not even your relatives. A private investigator could get most of it, but it would be expensive to track down.

No one else except the Chinese apparently. :(

Re:

[plopez]

Yes I have, I doubtless have been compromised. I have also applied for a loan, filled out medical forms, registered to vote, registered a motor vehicle etc. There is nothing on the form my employer does NOT have. My employer has work history, next of kin, passport number, proof of citizenship, residence information, reference, military service, and medical information via our health plans.

Not too much of a difference these days that I can see. Except in the case of the government you, at least theoretically

Re:

[bitingduck]

Not too much of a difference these days that I can see. Except in the case of the government you, at least theoretically, have Constitutional protections.

The SC has said very little about privacy in the last many decades, but the basic principle is that you have no right to privacy for information that has ever been shared with anyone else. So you have no constitutional protections. You have some *very* weak protections through the privacy act. Depending on what state you live in, you likely have more legal protection in the case of data breaches at private companies.

Follow the $

[rfengr]

Delayed long enough for OPM beurocrats to retire and form Identity Theft Guard Solutions LLC to make bank?

Re:

[bitingduck]

They should just contract with whoever boosted the data - they have everything they need to verify that they've contact the correct people and probably have more interest in knowing your current address than OPM does.

Need legislation to fix ID theft NOW

[PeterM from Berkeley]

The fact that ID theft is a problem for consumers is mostly CROCK.

Why should lenders be allowed to commit libel WITH IMPUNITY against innocent consumers?

It is THEIR fault they didn't bother doing MINIMUM DUE DILIGENCE before loaning someone money!

What kind of IDIOT gives out money without VERIFYING who they are giving it to? Does ANYONE think that a SSN and DoB are "verification" of identity?

Companies and people should NOT be able to use credit reporting agencies to libel someone whose identity they haven't positively established with IMPUNITY.

Congress should IMMEDIATELY pass a law that if a lender can't provide POSITIVE PROOF that the person whose reputation they are trashing is in fact the SELF SAME person who they loaned money to, they should not be allowed to:

1) Put ANY adverse information in their credit report
2) Make ANY attempt to continue collection after the person asserts ONCE that he wasn't the person they loaned the money to

It should NEVER have been allowed that lenders get a free pass to be careless with THEIR money and then impose ANY of the cost of being defrauded due to THEIR OWN NEGLIGENCE on the innocent.

Write Congress on this one, folks!

Also, lawyers, how about a class action lawsuit against lenders for libel?

Best,

--PeterM

Re:

[jwdb]

That solves the problem for some people, but not for those in my situation - I just moved across the country. People from other countries already face this problem: they have no US credit history, so for years they're screwed as far as credit is concerned.

I must admit that I don't know what to do about it, however. I can see the system is broken, but I don't know how to fix it. The European (well, Belgian as far as I know) solution is to not have credit history at all and instead to have far stricter bankru

Re:

[Bob the Super Hamste]

Maybe presenting proof of identification in person. I would suggest a government issued identification card like a divers license, or passport. Additionally that information should be verifiable against a database. So you hand over a your drivers license to a bank they look at the picture and verify that your picture matches that face that is looking at them then they enter the license number and state into the DB and up pops the picture on record as well as the other information on the license and they ver

Re:

[sociocapitalist]

While you're writing letters the banking lobby is either buying off those same officials one way or another.

That, or convincing them that the economy is too important and too fragile to allow lending institutions to take the hit.

You'd do better to stop borrowing so much and invest in bank stocks.

Hard to contact people with bad information

[jfdavis668]

We had a data breech of personal data, and needed to contact all those involved. When we obtained everyone's email and mailing address, we were surprised how bad the data was, particularly anyone who left. One person moved to Melbourne, Austria. Other addresses were town name only, no state or zip. Whoever entered it just thought it was obvious where that town was. Email servers are shut down and replaced, or departments reorganized, and everyone's email changes. No one thinks to tell the personnel department about these changes. Then, when you have a need for the data, you find half of it out of date. When there is no problem, no one pays attention to the data and tries to fix the problems.

Some notifications already out

[SuperKendall]

The article summary makes it seem as if no-one has been notified, but I know at least one person who works for the federal government that was notified a week or so after the leak was revealed (and given information about the credit monitoring agency).

Re:

[evendiagram]

As someone awaiting the results of the 2nd OPM breach, it was slightly confusing internally as well. The first OPM breach was announced on June 4th, 2015 with the second breach announced on June 12th. Notifications and credit monitoring service information was released on a rolling basis from June 8th to June 19th. I'm assuming the 2nd was of a much larger scale.

Re:

[evendiagram]

Correction: Notifications and credit monitoring service information for the first OPM incident was released on a rolling basis from June 8th to June 19th.

Re:Some notifications already out

[bitingduck]

The first one was about 4M people, all direct USG employees. The second was at least 22M people, a very large fraction of whom are contractors who work for companies of various sizes and need regular access to USG facilities or sensitive information. It's more significant information about many more people, and they've done pretty much nothing about it other than blame China for doing exactly the same thing the the US would have done (and may have...)

Notification from OPM

[Anonymous Coward]

Plenty of blame to go around here, but in the interest of accuracy, both my spouse and I received detailed notification from OPM over a month ago. So far, no damage done and the notification did provide instructions on implementation of ID protection.

Over 20 million employees?

[CCarrot]

The most shocking statement in this article, to me, is that there are more than 20 million government employees in the US...that's over half the population of Canada!

Granted, that's only about 6% of the population of the US, but still...wow...that's a pretty high MER.

Re:

[Anonymous Coward]

That's a bit misleading, there are NOT more than 20 million government employees in the US. According to OPM, the Federal workforce totaled 4,185k people in 2014, including the military. (https://www.opm.gov/policy-data-oversight/data-analysis-documentation/federal-employment-reports/historical-tables/total-government-employment-since-1962/)

Regarding the breech discovered in June 2015, read the OPM press release:
OPM and the interagency incident response team have concluded with high confidence that sensitiv

Re:

[CCarrot]

Ah, okay then, that makes more sense! Thanks for the clarification!

Just over 4000 people is a lot better than 20 million, but the number of people who apply to government position (the reason, I assume, why they'd want a background investigation?) is still impressive! Or, as a previous poster mentioned, perhaps it simply included a *lot* of historical data.

Whoops, I see another poster mentioned that if you just want to want to work on a government contract, you would need the background investigation thro

Re:

[Spazmania]

That was 4.2 miliion, not 4.2 thousand.

The 22 million is folks listed on forms by individuals who applied for a government security clearance. That's employees, contractors and all of their immediate family.

That having been said, nearly 40 million people in the US either work for the government as employees or work for them indirectly under one contract or another.

https://markstoval.wordpress.c... [wordpress.com]

Re:

[CCarrot]

That was 4.2 miliion, not 4.2 thousand.

The 22 million is folks listed on forms by individuals who applied for a government security clearance. That's employees, contractors and all of their immediate family.

That having been said, nearly 40 million people in the US either work for the government as employees or work for them indirectly under one contract or another.

https://markstoval.wordpress.c... [wordpress.com]

Whoops, sorry, reading comprehension fail :)

40 million direct and indirect employees, though...wow. 12.5% of the population. How much are your income taxes again? Not that Canada's doing any better in that regard. I'd be curious to see what the comparative numbers north of the border are...

Re:

[bitingduck]

The most shocking statement in this article, to me, is that there are more than 20 million government employees in the US...that's over half the population of Canada!

It's not 20M current employees.

It's everybody who's worked directly for the government or worked as a contractor who needed regulary access to a government facility or needed a security clearance (probably mostly contractors) since 2000, and maybe before. And people who applied in that period and got as far as the investigation forms and were declined. It's everyone who filled out one of three forms: SF-85 (people in non-sensitive positions), SF-85P (people in "public trust" but not national security posi

Re:

[CCarrot]

The most shocking statement in this article, to me, is that there are more than 20 million government employees in the US...that's over half the population of Canada!

It's not 20M current employees.

It's everybody who's worked directly for the government or worked as a contractor who needed regulary access to a government facility or needed a security clearance (probably mostly contractors) since 2000, and maybe before. And people who applied in that period and got as far as the investigation forms and were declined. It's everyone who filled out one of three forms: SF-85 (people in non-sensitive positions), SF-85P (people in "public trust" but not national security positions, and SF-86 (security clearances secret or higher), including all the information from the investigation.

Wow, that is a much wider range than just 'government employees'. 20 million definitely starts to make sense in that context, even if their refusal to deal with the situation doesn't.

Re:

[superwiz]

I actually thought the 6% figure was shocking. Government employees (past and present) account for ~20% of the US GDP. This figure doesn't take into account the money paid by the government to other citizens (then the figure goes up to 35%). So if 6% of the population were consuming 20% of the GDP, they'd be considered a fairly wealthy class. Turns out it's less than 6% of the population (almost none of the past government contractors are on government pensions).

Re:

[gymell]

I've never been a government employee, but I am a contractor who worked for a subcontractor on a project that required a security clearance. So I had to submit a form SF-86 and this means that my data is part of this hacking. I've yet to receive any official notification about it.

Re:

[bitingduck]

You would be safe in assuming your wife's data was also taken: https://www.opm.gov/cybersecur... [opm.gov]

Scroll down to "how you may be affected"

well, maybe

[superwiz]

maybe they are just negotiating with the individuals in possession of the information to um... sort it out so that the government itself can have efficient access to it? maybe even make it... umm... searchable... so they can figure out who's who? probably cheaper to pay terrorists to do it than the government contractors.

erm

[Aryden]

I got my notification as did everyone else in my office.