The Office of Personnel Management has released the following list of frequently asked questions covering important information related to the cyber breach reported last week that impacted the personal information of as many as 4 million current and former federal workers:
Within the last year, the Office of Personnel Management (OPM) has undertaken an aggressive effort to update its cybersecurity posture, adding numerous tools and capabilities to its various networks. As a result, in April 2015, OPM became aware of a cybersecurity intrusion affecting its information technology (IT) systems and data.
Since the incident was identified, OPM has partnered with the U.S. Department of Homeland Security U.S. Cyber Incident Response Team (US-CERT), and the Federal Bureau of Investigation to determine the impact current and former to Federal personnel. OPM immediately implemented additional security measures and will continue to improve the security for the sensitive information it manages. The FBI has opened an investigation in order to identify and hold accountable the person(s) responsible for this incident.
OPM will send notifications to approximately 4 million individuals whose PII may have been compromised. Since the investigation is on-going, additional PII exposures may come to light; in that case, OPM will conduct additional notifications as necessary. In order to mitigate the risk of fraud and identity theft, OPM will offer credit report access, credit monitoring and identify theft insurance and recovery services at no cost to them, through CSID®, a company that specializes in identity theft protection and fraud resolution.
Were these employees OPM employees or employees from across the executive branch? Was the legislative or judicial branch impacted by this intrusion?
OPM services the Federal workforce so the affected population includes Executive Branch agencies and employees.
Were members of the military affected by the breach?
This incident did not affect military records. No contractors were affected unless they previously held Federal civilian positions. The incident affected current and former Federal civilian personnel, including Department of Defense civilian employees.
Have the police been notified? If so, with which police department and what is the case number?
Since the incident was identified, OPM has partnered with the U.S. Department of Homeland Security’s Computer Emergency Readiness Team (US-CERT), and the Federal Bureau of Investigation (FBI) to determine the full impact to Federal personnel and investigate the intrusion. Federal law enforcement continues to investigate the matter and assist with remediation efforts. OPM immediately implemented additional security measures and will continue to improve security for the sensitive information it manages.
When did this happen?
The intrusion occurred in December 2014. OPM became aware of the intrusion into its systems in April 2015 after implementing tough new measures to deter and detect cyberattacks. During its investigation with its agency partners, the FBI and US-CERT, OPM became aware of potentially compromised data in May 2015.
What systems were affected?
For security reasons, OPM cannot publicly discuss specifics of the systems that might be affected by the compromise of personnel data. Additionally, due to the ongoing investigation, it would be inappropriate to publicly provide information that may impact current work by law enforcement. OPM has added additional security controls to better protect overall networks and systems and the data they store and process.
What personal information was compromised?
OPM maintains personnel records for the Federal workforce. The kind of data that may have been compromised in this incident could include name, Social Security Number, date and place of birth, and current and former addresses. It is the type of information you would typically find in a personnel file, such as job assignments, training records, and benefit selection decisions, but not the names of family members or beneficiaries and not information contained in actual policies. The notifications to potentially affected individuals will state exactly what information may have been compromised.
How many people are involved?
Approximately 4 million current and former Federal employees.
Why didn’t OPM tell affected individuals about the loss of the data sooner?
OPM became aware of the intrusion in April 2015. OPM worked with US-CERT as quickly as possible to assess the extent of the malicious activity and to identify the records that may have been compromised. During the investigation, OPM became aware of potentially compromised data in May 2015. As with any such event, it takes time to conduct a thorough investigation and to identify the affected individuals.
It is important to note that this is an ongoing investigation that could reveal additional exposure; if that occurs, OPM will conduct additional notifications as necessary. Protecting the integrity of the information entrusted to OPM is the agency’s highest priority.
What is OPM doing to prevent this kind of loss from happening again?
Because cyber threats are evolving and pervasive, OPM is continuously working to identify and mitigate threats when they occur. OPM evaluates its IT security protocols on a continuous basis to make sure that sensitive data is protected to the greatest extent possible, across all networks where OPM data resides—including those managed by government partners and contractors.
Has the information been misused?
At this time, we have no evidence that there has been any use or attempted use of the information compromised in this incident. This is an ongoing investigation and OPM will continue to be vigilant to ensure that necessary security measures are in place to further strengthen and protect our networks, systems, and data.
I did not receive a letter stating that my information was compromised, but feel that I should have. Can you help me?
OPM is aware of the affected data and the networks and the data on which it resides. OPM will begin sending notifications to individuals whose PII may have been compromised on June 8, 2015. These notifications will take place on a rolling basis through June 19, 2015. The email will come from firstname.lastname@example.org and it will contain information regarding credit monitoring and identity theft protection services being provided to those Federal employees impacted by the data breach. In the event OPM does not have an email address for the individual on file, a standard letter will be sent via the U.S. Postal Service.
What are the risks of identity theft with the information that was compromised?
Receiving a letter does not mean that the recipient is a victim of identity theft. OPM is recommending that people review their letters and the recommendations provided. In order to mitigate the risk of fraud and identity theft, we are offering credit monitoring service and identity theft insurance through CSID, a company that specializes in identity theft protection and fraud resolution. All potentially affected individuals will receive a complimentary subscription to CSID Protector Plus for 18 months. Every affected individual, regardless of whether or not they explicitly take action to enroll, will have $1 million of identity theft insurance and access to full-service identity restoration provided by CSID.
How long will it take to inform all the potential victims involved in the incident?
OPM will begin conducting notifications to affected individuals using email and/or USPS First Class mail on June 8, 2015 and will continue notifications on a rolling basis through June 19, 2015.
Who is responsible for this incident?
OPM does not assign attribution for cybercrimes. That question is best addressed by law enforcement agencies.
What has been the operational or mission impact to OPM?
There has been no operational impact to OPM. OPM has continued to operate at full capacity since the incident occurred.
Can my family members also receive services if they are part of my file/records?
Family members of employees were not affected by this breach.