Breach Notification , Incident & Breach Response , Managed Detection & Response (MDR)

OPM Struggles to Notify Breach Victims

Notifying 21.5 Million Presents Challenges
OPM Struggles to Notify Breach Victims

Round two of the Office of Personnel Management's data breach notifications has yet to begin, and officials say it may be weeks before notices get issued.

See Also: Why Active Directory (AD) Protection Matters

The agency has yet to solicit bids from an outside contractor to handle the work of notifying 21.5 million affected individuals, Reuters reports, citing interviews with unnamed government officials.

The delay is due to the fact that OPM handled data for a number of other agencies, and is thus attempting to create a centralized breach-notification system, rather than delegating the notification task to every agency responsible, according to Reuters. That move also reflects the fact that numerous government employees and contractors frequently move between different agencies, thus demanding a more centralized approach to locating and notifying breach victims.

Given the private nature of the information that appears to have been stolen by hackers, some members of Congress are backing legislation calling for free lifetime ID theft monitoring services for the breach victims. Meanwhile, the director of the National Security Agency says he expects more OPM-style breaches in the public and private sectors.

Notification Challenges

Nothing tests an organization's data breach response plan like the need to notify millions that their personal details have been potentially compromised.

That's the challenge now facing OPM in its response to its second breach in recent months - one of the worst data breaches to ever hit a U.S. government agency. The White House has warned that hackers appear to have stolen every background-investigation form - a 127-page document that everyone seeking a security clearance must submit - filed with the U.S. government since at least 2000.

Some of those 21.5 million breach victims were also victims of what the White House is calling a "separate but related" December 2014 hack attack, which OPM says exposed personnel data for 4.2 million individuals. The first incident was discovered in April, and in June led to the discovery of the background-information theft, Katherine Archuleta - who resigned July 10 as OPM's director - said at a Congressional hearing (see Archuleta Resigns as OPM Director). Many, but not all, of the victims of the smaller breach were also victims of the background-investigation hack attack, OPM says.

OPM has been criticized for how it handled notification for the first, smaller breach; it emailed breach victims, requesting that they click on a link that led to a third-party identity-theft monitoring service provider. Many breach victims said they were unable to tell if the email itself was a phishing attack. The third-party link apparently also violated Department of Defense guidelines, which prohibit employees from clicking on links to untrusted sites (see OPM: 'Victim-as-a-Service' Provider).

Breach Delay: Not Unexpected

The delayed notification for 21.5 million victims of the second breach is not surprising, given the number of interconnected systems that are likely involved, as well as the need to develop and test both the notification strategy and related support systems, says Peter Tran, senior director of the Worldwide Advanced Cyber Defense Practice at security firm RSA. "The OPM is in crisis-management mode at this moment so focus and accuracy are key, while balancing time sensitivity," he says. According to research conducted by RSA, notification delays are not uncommon, as 72 percent of large enterprises report being unprepared to handle breach recovery and notification.

In fact, OPM now faces a bigger risk not from delayed breach notifications, but from rushed, inaccurate or mishandled ones, and the threat that victims will overwhelm whatever breach-support mechanisms the agency puts in place. "Panic is the No. 1 enemy for successful recovery," Tran says. "You want to avoid a 'run on the banks behavior' scenario ... if you begin to send 22 million citizens - seven percent of the American population - into [a] panic without having proper guidance."

Private Information Stolen

OPM officials say that the 4.2 million victims of the first breach had their job application information exposed. But the 21.5 million affected by the second breach had submitted background information that often contained highly personal information, including Social Security numbers and addresses, and in some cases also details of sexual behavior, extra-marital affairs, alcohol abuse, financial difficulties and criminal convictions (see Analysis: Why the OPM Breach Is So Bad).

In June, U.S. Director of National Intelligence James Clapper said that China is the prime suspect behind the hack attack (see OPM Breach: China Is 'Leading Suspect'). The Chinese government has denied responsibility.

In the wake of the OPM breaches, the agency and some of its directors have been sued by two unions that represent federal employees. One of those suits, filed by the National Treasury Employees Union, which represents 150,000 employees, demands that OPM provide lifetime identity theft monitoring services to workers whose information was exposed.

OPM says it's offering 18 months of free ID theft monitoring to victims of the first breach and three years of coverage to victims of the larger second breach.

Lawmakers Seek Lifetime ID Theft Monitoring

A bill unveiled earlier this month in both houses of Congress, called the Recover Act - for "Reducing the Effects of the Cyber-attack on OPM Victims Emergency Response" - would provide lifetime identity theft monitoring for all government employees and contractors - and anyone else - affected by the two OPM breaches, as well as at least $5 million in identity theft insurance.

"Much of the OPM data is lifetime and permanent background information that cannot be changed, like a credit card number," says Rep. Eleanor Holmes Norton, D-D.C., who introduced a House version of the bill together with eight Democratic lawmakers from Maryland and Virginia - states with large numbers of federal workers.

"We have a responsibility to protect the people who have been put at risk," says Sen. Ben Cardin, D-Md., who introduced the Senate version of the legislation together with three other Democratic senators from Maryland and Virginia.

Colleen M. Kelley, president of NTEU, has voiced her support for the legislation. "Federal employees are required to submit personal, sensitive and confidential information as a condition of employment, and their records deserve the highest levels of protection," she says. "The Recover Act will go a long way toward protecting individuals from ID theft problems stemming from these devastating data breaches."

The move to offer lifetime identity theft monitoring services to OPM breach victims parallels Blue Cross Blue Shield health insurance plans, in the wake of several large breaches, promising to soon offer free identity theft services to everyone it insures for as long as they remain customers (see Will ID Protection Offer Set New Standard?).

NSA Forecasts More Mega-Breaches

U.S. Navy Adm. Mike Rogers, who heads both the National Security Agency and the U.S. military's Cyber Command, warns that he expects to see more OPM-style breaches hit both the public and private sectors.

"I don't expect this to be a one-off," said Rogers, speaking July 15 at the London Stock Exchange, The Wall Street Journal reports. "We are in a world now where, despite your best efforts, you must prepare and assume that you will be penetrated. It is not about if you will be penetrated, but when."

Rogers said recent mega-breaches - for example, at OPM and Sony Pictures Entertainment - should trigger a rethink about how all organizations, including government agencies, approach information security. In the aftermath of the OPM breaches, Rogers said, one of key questions to ask is: "What is the right vision for the way forward in how we are going to deal with things like this?" (See OPM Breach: Get Your Priorities Straight).

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.