OPM data breach – what should you do?

[Tadpole]

Federal workers and retirees are affected. Recommendations include changing bank accounts.
OPM data breach – what should you do? | Consumer Information




The OPM data breach that was announced yesterday affects 4 million people.


Although the ftc instructions above said bank accounts should be closed the Washington Post reported that:

"The intruders in the OPM case gained access to information that included
employees’ Social Security numbers, job assignments, performance ratings and
training information, agency officials said. OPM officials declined to comment
on whether payroll data was exposed other than to say that no direct-deposit
information was compromised. They could not say for certain what data was taken,
only what the hackers gained access to."

Chinese breach data of 4 million federal workers - The Washington Post

 

[donheff]

Even if hackers got payroll info how would that give them access to your accounts? Routing and account numbers are printed on the face of every check. OPM doesn't have your passwords. I already have a credit freeze. That is all I plan ---- for now.

 

[Tadpole]

The FTC advice must be just canned advice to which they added a paragraph about the OPM breach. Freezing one's credit makes it a little more difficult to chase CD rates. I've resisted freezing mine but am now on several of these free credit monitoring arrangements. It seems like there is a rash of breaches lately. So, I will finally go for the freeze.


IT people - if OPM (or other) has such difficulty detecting a breach, how do they know when one has NOT occurred?

 

[MRG]

IT people - if OPM (or other) has such difficulty detecting a breach, how do they know when one has NOT occurred?

They don't. Proper design, testing, audits are supposed to mitigate risk. IMHO very few organizations do that.

Little different but related. I sat in a discussion one day of organizations that had implemented high availability into their systems for DR. Over 90% of the participants had never completed a successful test. These were major companies that everyone here would recognize their names. They had spend millions on the technology but never tested to ensure their procedures would work.

 

[DonavonP]

Big data breach after federal agency loses a bunch of funding. Nothing suspicious here?

 

[target2019]

IT people - if OPM (or other) has such difficulty detecting a breach, how do they know when one has NOT occurred?

To know for certain that there has been no breach you must deny access to all. Then you know it!

I happen to be writing about security in the cloud, and have so many thoughts in my head right now I can't get out much of anything. (DENY ALL).

If you search for topics like "cloud security architecture" and look at images, not regular search finds, you can inspect a few images and understand how complex this landscape is. There is not one approach or one network that is immune forever. The threats are constantly evolving, and each minute some new idea has to be built out and implemented to deflect the new stuff coming at you.

One thing that is probably not mature in the fed and mil landscape is experience with IDS Intrusion Detection Systems. These are inside your cloud and looking at bits of stuff.

 

[jebmke]

Big data breach after federal agency loses a bunch of funding. Nothing suspicious here?

4M is pretty small compared to the breaches in the private sector.

 

[jebmke]

Even if hackers got payroll info how would that give them access to your accounts? Routing and account numbers are printed on the face of every check. OPM doesn't have your passwords. I already have a credit freeze. That is all I plan ---- for now.

It is amazing how many people will hesitate to give out the routing/account numbers while readily write a check at a local grocery store and hand the same data to a teenage clerk.

When I lived in Europe it was customary to put these numbers on your personal calling card -- that is how people transfer money to you. Checks didn't exist.

 

[ABQ2015]

I'm also on a free credit monitoring arrangement from the last time my federal agency files were hacked.

 

[packrat44]

Even if hackers got payroll info how would that give them access to your accounts? Routing and account numbers are printed on the face of every check. OPM doesn't have your passwords. I already have a credit freeze. That is all I plan ---- for now.

Totally agree. I froze my credit in 2006 when my identity was stolen prior to any known attempts to use it. My DW froze hers 2 years ago after someone opened an account with her info and she was billed. A medical clinic she had used several years prior, finally fessed up and admitted recently there had been a breach and her info lost. I have heard medical firms are the most common source of breaches.

The credit freeze gives me some comfort.

 

[W2R]

From the article,

The intruders in the OPM case gained access to information that included employees’ Social Security numbers, job assignments, performance ratings and training information, agency officials said. OPM officials declined to comment on whether payroll data was exposed other than to say that no direct-
deposit information was compromised. They could not say for certain what data was taken, only what the hackers gained access to.

Since I am a federal retiree, I could care less about job assignments, performance ratings, and training information. They can browse those all they wish as far as I'm concerned.

That leaves my SS number. Granted, I try to keep that private but I wonder how much they can actually do with it. Even if they do try to open credit accounts somehow with little more than a name and SS number, I doubt they would do that for each of 4,000,000+ accounts that were hacked.

Honestly I wish they would do SOMETHING to stop these scares. Surely it can't be that hard. This isn't the first time that there has been a massive loss of federal employees' information. I remember this happening to those of us who held federal credit cards (for work) maybe 10-15 years ago.

 

[target2019]

The information may not be of much use right now, but it will be aggregated with other data as times goes on. Eventually some crafty group on foreign soil will be able to launch a catastrophic electronic hit.

These strikes can be deflected, but the immense size of our gov't makes it unlikely that it will all be fixed. There's too much old stuff to fix.

 

[target2019]

Oh goodie! I received my OPM notice today. They botched basic security but gave me free monitoring for three years. Chinese are patient. I'd expect a major event in 2018/2019.

I'm off to hunt down these ill mannered scoundrels.

 

[zinger1457]

Oh goodie! I received my OPM notice today. They botched basic security but gave me free monitoring for three years. Chinese are patient. I'd expect a major event in 2018/2019.

Got my letter from OPM about 2 weeks ago and signed up for the monitoring service. I applied for a new credit card yesterday and soon got an alert notice so that part of the monitoring service works.

 

[bingybear]

Oh goodie! I received my OPM notice today. They botched basic security but gave me free monitoring for three years. Chinese are patient. I'd expect a major event in 2018/2019.

I'm off to hunt down these ill mannered scoundrels.

Got my letter from OPM about 2 weeks ago and signed up for the monitoring service. I applied for a new credit card yesterday and soon got an alert notice so that part of the monitoring service works.

where have you been... got my notice a long time ago... but then my employment was in the 1980's for a month or two.

 

[Dash man]

Got my notice back in August, but I've been using a monitoring service for years from previous hacks. It never ends.


Sent from my iPhone using Early Retirement Forum

 

[zinger1457]

where have you been... got my notice a long time ago... but then my employment was in the 1980's for a month or two.

I did receive a notice from OPM shortly after the hack that my personal information 'may' have been taken and gave me a one year monitoring service. The most recent letter stated very clearly that my personal data 'was' taken.

 

[Nodak]

I got my notice about a month ago.

 

[Greg V]

Both OPM and IRS data breaches affect us. Got one year of ID theft protection through the IRS and three years through OPM...different vendors for each. Before that, had personal data heisted from Home Depot (one year ID theft protection through them which has since expired) No problems noted...yet. However, all of this is certainly not a confidence builder in the security of personal and financial transactions we do online.

 

[target2019]

where have you been... got my notice a long time ago... but then my employment was in the 1980's for a month or two.

I've been here, writing about secure practices. What irony! Secure your data at rest...

Never was a fed employee. The data given away is always much larger and broader than revealed.

 

[Golden sunsets]

where have you been... got my notice a long time ago... but then my employment was in the 1980's for a month or two.

Got mine six months ago and again two weeks ago. I wonder if my info was stolen twice?

 

[ExFlyBoy5]

I got the letter today. Tried to sign up and it tells me they can't verify my information and to call. How annoying.

I think I will stick with my own method of keeping up with my information. I am probably a little better at it than the "lowest bidder" Uncle Sam went with.

 

[ExFlyBoy5]

where have you been... got my notice a long time ago... but then my employment was in the 1980's for a month or two.

The most recent breach was for information that folks provide on the security clearance application (SF-86/SF-85 or SF-85A). It's a LOT of information that is used to adjudicate clearances. It really sucks for those that had/have TS and above clearances...that is A LOT of information. The information may include:

Name
Fingerprints
SSN
Address
DOB and Location of Birth
Residency
Education
Employment History
Foreign Travel History
Information on Immediate Family
Business/Personal Acquaintances
And "Other" Information

This includes a total of about 22 million folks. If you had an investigation completed since about the year 2000, you may very well be included.

https://www.opm.gov/cybersecurity/cybersecurity-incidents/#WhatHappened

 

[Tadpole]

Well my husband got a letter yesterday. I, the federal employee, have not received a letter yet. So far as we can remember the only link he would have with OPM would be through my employment. I have talked to OPM on another matter recently and they had one mistake in my record - my husband's last name. They said they would make the necessary corrections and notify me by snail mail when this was done. I have not received confirmation of the name change but the letter to my husband had his correct name. Maybe the attention I focused on him caused this cart-before-the-horse mail. I hope I see my letter soon. Good news is that they had the wrong name for my husband when the records were stolen.


The letter does not refer to his relationship as a spouse but covers him and dependent children, again, without mention of spousal coverage.


Anyone else got a spousal letter - if so, does it mention the employee coverage or relationship?

 

[OrcasIslandBound]

I got my OPM letter on Wednesday before Thanksgiving. I promptly signed up for the credit monitoring. Seems ridiculous that an agency that uses words like "secret" and "top secret" would have none.

Sent from my Nexus 4 using Early Retirement Forum mobile app