OPM breach news (UPDATED)
We talked the other day about the data breach at the Office of Personnel Management that probably affected the PII of everyone who has ever been employed or contracted by the federal government. Apparently the breach happened months ago and went undetected for months, and like the President, we don’t find out about important stuff until it’s news. From Fox News;
“The recent OPM breach was identified, noted and the credentials and identities have been discovered online and are being traded actively,” said Roberts, who has been a consultant to a number of government agencies, but is currently at odds with the FBI over his reports, first published in Fox News, detailing the vulnerabilities of commercial airlines to cyber hacking. The FBI accused Roberts of hacking a commercial airplane, while Roberts claims he was simply trying to warn the government and industry of vulnerabilities.
“When these accounts are posted on the darker side of the net, they are usually ‘live’ and are part of a larger breach,” Roberts added. “They are typically parsed out and sold and distributed to interested parties, something OWL tracks.”
So the crooks find out about it before we do – we find out after our information is sold to criminals. But, not to worry, the government is on the job. According to a memo they sent out today, you’re in good hands;
Beginning June 8 and continuing through June 19, OPM will be sending notifications to individuals whose PII was potentially compromised in this incident. OPM has retained a private vendor, CSID, to transmit the notifications on behalf of OPM. Consequently, the email will come from opmcio@csid.com and will not come from a .gov email address. The notification will feature a CSID logo and will contain information regarding credit monitoring and identity theft protection services being provided to those federal employees impacted by the data breach. In the event OPM does not have an email address for the individual on file, a standard letter will be sent via the U.S. Postal Service.
This notification is different from other notifications you may have already received. The Department is also in the process of notifying some DHS employees in CBP, ICE, TSA, and in a small number of other components that one of the companies that DHS contracts with to conduct background investigations and credit checks may have had a compromise of its network. That notification, which was made via U.S. Postal Service, is separate from this OPM notification.
Fing brilliant – send out a notification by email from a commercial email address. I’m sure no one will send out phishing emails, the crooks aren’t that smart, huh? F*** you, federal government. I’ll take care of my-damn-self you buncha incompetent boobs. If you send me an email, you won’t get a response…ever.
The rest of their stupid email, if you still think that they care about your PII;
As a note of caution, confirm that the email you receive is, in fact, the official notification. It’s possible that malicious groups may leverage this event to launch phishing attacks. To protect yourself, we encourage you to do the following:
1. Make sure the sender email address is “opmcio@csid.com.”
2. The email should not contain any attachments. If it does, do not open them, and forward the email to dhsspam@hq.dhs.gov.
3. The email is sent exclusively to your email address. No other individuals should be in the TO, CC, or BCC fields.
4. The email subject should be exactly “Important Message from the U.S. Office of Personnel Management CIO.”
5. The email will feature an embedded “Enroll Now” button. Do not click on the included link. Instead, record the provided PIN code, open a web browser then manually type the URL – http://www.csid.com/opm – into the address bar and press enter. You can then use the provided instructions to enroll using the OPM/CSID website.
6. The email should not contain any attachments. However, once you visit the OPM/CSID website (http://www.csid.com/opm) to enter your PIN code, you will be asked to provide personal information to verify your identity.
7. The official email should look like this sample screenshot.
8. If you would prefer not to enter your personal information on the OPM/CSID website (http://www.csid.com/opm), you may call the CSID call center toll-free at 844-777-2743 or 844-222-2743. (International callers: call collect 512-327-0705).
9. OPM will not proactively call you about the breach. If you receive a phone call about the breach claiming to be OPM, then it is a scam. Do not provide any personal information. CSID, not OPM, is making all notifications about this breach, and the notifications are by email or through the U.S. Postal Service.
Additional information is also available on CSID’s website, http://www.csid.com/opm (external link), or you can call them toll-free at 1-844-777-2743 (International callers: call collect at 1-512-327-0705).
Regardless of whether or not you receive this notification, you should take extra care to ensure that they are following recommended cyber and personal security procedures. If you suspect that you have received a phishing attack, contact your component’s security office.
In general, government employees are often frequent targets of “phishing” attacks, which are surreptitious approaches to stealing your identity, accessing official computer systems, running up bills in your name, or even committing crimes using your identity. Phishing schemes use email or websites to trick you into disclosing personal and sensitive information.
We will continue to keep you advised of new developments regarding this cybersecurity incident as we learn more from OPM. The following includes helpful information for monitoring your identity and financial information and precautions to help you avoid being a victim.
Steps for Monitoring Your Identity and Financial Information
Monitor financial account statements and immediately report any suspicious or unusual activity to financial institutions.
Request a free credit report at www.AnnualCreditReport.com or by calling 1-877-322-8228. Consumers are entitled by law to one free credit report per year from each of the three major credit bureaus – Equifax®, Experian®, and TransUnion® – for a total of three reports every year. You can find contact information for the credit bureaus on the Federal Trade Commission (FTC) website, www.ftc.gov.
Review resources provided on the FTC identity theft website, www.Identitytheft.gov. The FTC maintains a variety of consumer publications providing comprehensive information on computer intrusions and identity theft.
You may place a fraud alert on your credit file to let creditors know to contact you before opening a new account in your name. Simply call TransUnion® at 1-800-680-7289 to place this alert. TransUnion® will then notify the other two credit bureaus on your behalf.Precautions to Help You Avoid Becoming a Victim
· Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about you, your employees, your colleagues or any other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.
· Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person’s authority to have the information.
· Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.
· Do not send sensitive information over the Internet before checking a website’s security (for more information, see Protecting Your Privacy, http://www.us-cert.gov/ncas/tips/ST04-013).
· Pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).
· If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information. Information about known phishing attacks is also available online from groups such as the Anti-Phishing Working Group (http://www.antiphishing.org).
· You should take steps to monitor your personally identifiable information and report any suspected instances of identity theft to the FBI’s Internet Crime Complaint Center at www.ic3.gov.
· Additional information about preventative steps by consulting the Federal Trade Commission’s website, www.consumer.gov/idtheft. The FTC also encourages those who discover that their information has been misused to file a complaint with the commission using the contact information below.
Identity Theft Clearinghouse
Federal Trade Commission
600 Pennsylvania Avenue, NW
Washington, D.C. 20580
https://www.identitytheft.gov/
1-877-IDTHEFT (438-4338)
TDD: 1-202-326-2502
UPDATE: There seems to have been a second hack that exposed the records of military personnel.
The Office of Personnel Management, which was the target of the hack, has not officially notified military or intelligence personnel whose security clearance data was breached, but news of the second hack was starting to circulate in both the Pentagon and the CIA.
Category: Dumbass Bullshit
The way I understood this from Ace’s post last night was that the hackers were able to access the SF 86 forms of anyone who had applied for a clearance through a civilian agency via the Federal Government, but that those of us who filled out the same form for a clearance through military or intelligence channels were safe. Anyone hear anything different?
Sigh-never mind, he just posted to update that military and intelligence personnel were also hacked.
http://acecomments.mu.nu/?post=357301
Well, that sucks dog nuts.
Man, what a pain in the ass. I’ve been submitting SF86’s since 1980. These assholes know me better than I do!
My new twitter rant hero:
https://storify.com/faceattack/rick-wilson-s-rant-about-opm-breach?utm_content=buffer99f19&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer
“29/ Actions don’t have consequences unless you use “you guys” or ask about whether Bruce Jenner still has a penis. THEN it’s a crisis.”
“30/ Then the media and the White House and the Right Kind of People fly into a righteous fury, demanding Action.”
“31/ Fundamentally unserious county right now. Broken from top to bottom.”
“34/ There are people in the military an IC who get the scope of this catastrophe. But the rest of Washington? Merrily dancing on the abyss.”
As I’ve said, I’ve had my identity stolen twice before. Once when some idiot left an Oregon Guard laptop in his car and the second time thanks to the VA. My credit is already trash, so at least I know someone can’t screw it up any worse.
These assholes spend an inordinate amount of time badgering us to take online security recurring mandatory training, then flush all our shit out there anyway…then afterward have the balls to tell us we need to, “…take extra care to ensure that they are following recommended cyber and personal security procedures.”
GFY, G-6 assholes.
Can we sic the CFPB on OPM? Their behavior here is so egregious – they didn’t even store SSNs in an encrypted state! If the CFPB wanted to do actual good, instead of making up shit as they go along and then extorting fines from banks, they’d be up in the government’s shit, rooting out this kind of actual abuse…
SOS
we need the scene from Spaceballs were the Mel Brooks gives up his secret password posted up ASAP.
FYI Mel Brooks served in the U.S Army WW2.
I think I could create an email that meets all of the requirements outlined in the post – since they were nice enough to write them all down.
The notification says:
Do not click on the included link.
If one percent of the people who receive this email fail to follow that instruction, that will be about 200,000 people. Okay. Never mind. No problem. It is only 1 percent.
The notification also says:
open a web browser then manually type the URL – http://www.csid.com/opm – into the address bar and press enter.
Guess what. There is a live site on http://www.cisd.com. Domain http://www.cids.com is for sale. Someone owns http://www.scid.com. There is a web server at http://www.csid.gov but it isn’t chatty. Have any of you ever gone to www(dot)whitehouse(dot)com? I think you get the idea. How many of us would type that URL in wrong? This process rates a 9.9 from the East German judge.
We want to trust our government not to do stupid shit. Unfortunately, they do and I don’t. This is catatonic.
UPDATE: There seems to have been a second hack that exposed the records of military personnel.
“OPM has retained a private vendor, CSID, to transmit the notifications on behalf of OPM. Consequently, the email will come from opmcio@csid.com and will not come from a .gov email address.”
I got my notification the day before yesterday, but it was a postal letter from DHS. I work for the Dept of Transportation now, so not sure why DHS sent me a letter. Maybe cause I used for work at TSA Headquarters.
I haven’t gotten any emails and if I did, I would be very careful about accessing it.
This whole thing is so fucked up. I’ve worked in the security/intel field for decades and it ain’t a good feeling knowing that the PRC has my info. My only consolation is that I’m an old fart and they wouldn’t waste their time on me. Of course, they could just sell the info to ID thieves and then I would be fucked…royally. Time will tell.
I am so fed up with the federal govt. I’ve already told my boss that I am working to be out the door in a year, if not sooner. The govt seems to be nothing more than a damn welfare program from what I’ve seen.
Costa Rica here I come!
Well crap. Just got my mail and there was my personal notification.
Anyone here also getting multiple myBIZ personnel notifications? I keep getting emails from the myBIZ site that states my profile has been updated. It’s been about 1 dozen times now and I can’t figure it out.
Please post a response or hit me up in an email. Jonn has it if he would be kind enough to share it with those who want to email me.
Got my email yesterday 19 June at 2000. I have been an DoD employee for over 38 years. Got notification from our Captain (USN) that we were breached back in February.
What can I say? Correct me if I am wrong, but did not all that in line and class room training tell us to distrust non .gov or .mil email addresses such as .com. I wonder if this notification would even make through NMCI? So our government elects to inform us with a .com that we have all been trained to question. Oh well who listens to the training anyway, not the bosses.
Final question and comment, who is providing all of this wonderful “Protector Plus” coverage? A no-bid contractor like the one who mismanaged affordable health care? OR are we just going to send our PII to be distributed to the world by another source.
I started my career when interest rates were so high I could not buy a house or car, I retired when interest rates are so low that my retirement savings lose headway just sitting in the bank. At both ends our government was and now is OUT OF CONTROL.
sorry on line not in line