OPM Releases New List of FAQs on Data Breach

By on June 19, 2015 in Current Events with 26 Comments

Cybersecurity image

The Office of Personnel Management has revised its list of frequently asked questions with updated information on the data breaches that hit its computer systems. The updated questions and answers are included below.

Updated: 6/25/2015 4:44 PM EST

General FAQs

What happened? Was there one intrusion or two?

OPM became aware of an intrusion affecting its systems and data in April 2015 and launched an investigation with its agency partners, the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). In May 2015, through this investigation, OPM became aware of the potential compromise of data related to personnel records for current and former Federal employees. The agency began notifying potentially affected individuals on June 8. OPM is currently in the process of sending notifications to the approximately 4 million individuals whose personally identifiable information (PII) may have been compromised in that incident. Since the investigation is ongoing, additional PII exposures may come to light; in that case, OPM will conduct additional notifications as necessary.

During the ongoing investigation into the cyber intrusion of OPM that compromised personnel records (announced June 4), OPM, with its interagency partners, became aware of the possibility of a separate intrusion affecting a different set of OPM systems and data.

On June 8, as the investigation into the initial intrusion proceeded, the Interagency Response Team shared with relevant agencies that there was a high degree of confidence that OPM systems containing information related to the background investigations of current, former, and prospective Federal government employees, and those for whom a Federal background investigation was conducted, may have been compromised.

OPM, DHS, and the FBI are working as part of this ongoing investigation to determine the number of people affected by this separate intrusion. Since the investigation is ongoing, we are in the process of assessing the scope of the information that has been compromised, but we expect OPM will conduct additional notifications as necessary.

What information was compromised in the intrusion involving personnel records?

OPM maintains personnel records for the Federal workforce. The kind of data that may have been compromised includes your name, Social Security number, date and place of birth, and current and former addresses. It could include the type of information you would typically find in a personnel file, such as job assignments, training records, and benefit selection decisions.

In the case of the incident involving background investigations information, the investigation is still ongoing, and we will notify affected individuals if their data was affected as soon as is practicable. As with any such event, it takes time to conduct a thorough investigation and to identify the affected individuals.

Was background clearance information compromised?

During the investigation into the cyber intrusion of OPM that compromised personnel records (announced June 4), OPM, with its interagency partners, became aware of the possibility of a separate intrusion affecting a different set of OPM systems and data.

On June 8, as the investigation into the initial intrusion proceeded, the response team shared with relevant agencies that there was a high degree of confidence that OPM systems containing information related to the background investigations of current, former, and prospective Federal government employees, and those for whom a Federal background investigation was conducted, may have been compromised.

Since the investigation is ongoing, additional exposures may come to light. In that case, OPM will conduct additional notifications as necessary.

How many people were affected by both incidents? Do you have an estimate?

OPM is currently in the process of sending notifications to approximately 4 million current and former Federal civilian employees whose personally identifiable information (PII) may have been compromised in the incident impacting personnel records. It is important to note that this is an ongoing investigation that could reveal additional exposures. If that occurs, OPM will conduct additional notifications as necessary.

Were members of the military or contractors affected by either breach?

As of now, we do not believe the first incident involved personnel records of active military personnel. It did affect current and former Department of Defense civilian employees. Additionally, in the first incident, no contractors were affected unless they previously held Federal civilian positions.

However, since the investigation is ongoing, additional exposures may come to light; in that case, OPM will conduct additional notifications as necessary.

Are Federal retirees affected by either breach?

Some Federal retirees are affected by the incident involving personnel records announced on June 4 and they are among the approximately 4 million current and former Federal civilian employees receiving notifications. We have not yet determined the scope and impact of the separate incident involving background investigation data. Since the investigations into both incidents ongoing, additional exposures may come to light; in that case, OPM will conduct additional notifications as necessary.

Have the police been notified?

Since both incidents were identified, OPM has partnered with the U.S. Department of Homeland Security’s Computer Emergency Readiness Team (US-CERT), and the Federal Bureau of Investigation (FBI) to investigate and determine the full impact to Federal personnel. Federal law enforcement agencies continue to investigate the matter and assist with remediation efforts. OPM immediately implemented additional security measures and will continue to improve security for the sensitive information it manages.

When did this happen?

OPM became aware of the intrusions into its systems in April (affecting personnel records) and May (affecting background investigations data) of 2015 after implementing tough new measures to deter and detect cyberattacks. The actual intrusions predated OPM’s discovery, but the precise timing is still a matter under investigation.

Was the data that was exfiltrated encrypted?

Though data encryption is a valuable protection method, today’s adversaries are sophisticated enough that encryption alone does not guarantee protection. OPM utilizes a number of different protection mechanisms for systems and data, and utilizes encryption when possible. However, due to the age of some of our legacy systems, data encryption isn’t always possible. In fact, encryption in this instance would not have protected the data.

Currently, we are increasing the types of methods utilized to encrypt our data. These methods include not only data at rest, but data in transit, and data displayed through masking or redaction. OPM’s IT security team is actively building new systems with technology that will allow the agency to not only better identify intrusions, but to encrypt even more of our data.

What systems were affected?

For security reasons, OPM cannot publicly discuss specifics of the systems that might be affected by the compromise of personnel data. Additionally, due to the ongoing investigation, it would be inappropriate to publicly provide information that may impact the current work by law enforcement. OPM has added additional security controls to better protect overall networks and systems and the data they store and process.

Why didn’t OPM tell affected individuals about the loss of the data sooner?

OPM became aware of the first intrusion in April 2015. OPM worked with US-CERT and the FBI as quickly as possible to assess the extent of the malicious activity and to identify the records that may have been compromised. In May 2015, through this investigation, OPM became aware of the potential compromise of data related to personnel records for current and former Federal employees. During the investigation into the cyber intrusion of OPM that compromised personnel records (announced June 4), OPM, with its interagency partners, became aware of the possibility of a separate intrusion affecting a different set of OPM systems and data involving background investigations.

As with any such event, it takes time to conduct a thorough investigation and to identify the affected individuals.

What is OPM doing to prevent this kind of loss from happening again?

We are committed to making this right and are investing the internal processes, tools, and resources to reduce the likelihood that this can happen again. Because cyber threats are evolving and pervasive, OPM is continuously working to identify and mitigate threats when they occur. OPM evaluates its IT security protocols on a continuous basis to make sure that sensitive data is protected to the greatest extent possible, across all networks where OPM data resides—including those managed by government partners and contractors.

What has OPM done to shore up its systems?

OPM has been making steady improvements in its cybersecurity posture over the past year. In February 2014, OPM Director Archuleta, in one of her first major initiatives as the Director of OPM, developed and approved an IT Strategic Plan to bolster OPM’s IT networks and databases and adopt state of the art security protocols.

This plan included upgrading Security Assessment and Authorization for several systems and implementing continuous monitoring to enhance the ability to identify and respond, in real time or near real time, to cyber threats.

Additional upgrades included the installation of more firewalls that allow us to filter network traffic; restricting remote access for network administrators and restricting network administration functions remotely; reviews of all connections to ensure that only legitimate business connections have access to the Internet; and deploying anti-malware software across the environment to protect and prevent the deployment or execution of cybercrime tools that could compromise out networks.

That undertaking resulted in OPM having tough new security measures in place by the spring of this year. That is the reason the agency was able to detect in April 2015 an intrusion that happened some time earlier. The agency immediately began working with relevant Federal agencies, DHS, and the FBI to investigate and mitigate the intrusion.

After the incidents were discovered, OPM also immediately implemented additional security measures and will continue to add protections for the sensitive information it manages.

Has the information been misused?

At this time, we have no evidence that there has been any use or attempted use of the information compromised in this incident. This is an ongoing investigation and OPM will continue to be vigilant to ensure that necessary security measures are in place to further strengthen and protect our networks, systems, and data.

Who is responsible for this incident?

OPM does not assign attribution for cybercrimes. That question is best addressed by law enforcement agencies.

Can you say with confidence that the adversary is not currently in the system?

At this time, we have no indications that the actors remain in the OPM networks. The agency’s enhanced security measures not only enabled us to detect the intruder, but have allowed us to identify, isolate, and prevent even sophisticated actors who are using new techniques. It is also worth noting that the malicious activity that OPM found was latent; the intrusions occurred well before they were discovered by OPM.

However, this is an ongoing investigation and we are still getting new information on what occurred on OPM’s networks.

What has been the operational or mission impact to OPM?

There has been no operational impact to OPM. The agency has continued to operate at full capacity since the incident occurred.

What is OPM doing to make sure Federal employees are protected?

OPM is currently in the process of sending notifications to individuals whose personally identifiable information (PII) may have been compromised by the incident involving personnel records. Since the investigation is ongoing, additional exposures may come to light; in that case, OPM will conduct additional notifications as necessary.

In addition, OPM has been working with the leadership of affected Federal agencies to inform them to the fullest extent possible what data was compromised so that each affected Federal employee has the resources available to protect their interests.

In order to mitigate the risk of fraud and identity theft, OPM is offering credit report access, credit monitoring services, and identity theft insurance to potentially affected individuals, at no cost to them. The comprehensive, 18-month membership includes credit monitoring and $1 million in identity theft protection services.

Additionally, it is an important reminder that we discovered this incident as a result of OPM’s concerted and aggressive efforts to strengthen its cybersecurity capabilities and protect the security and integrity of the information entrusted to the agency. Accordingly, OPM has been working with the Department of Homeland Security and the Office of Management and Budget to determine what steps can be taken to accelerate already planned network and systems enhancements and institute the necessary tools to detect and mitigate emerging cyber threats.

I am undergoing a background investigation and have been asked to complete my SF-86 (or provide information pertaining to someone else’s background investigation) but understand that the systems that house OPM’s background investigations data have been compromised. Can I be assured that the data I submit is secure?

OPM remains committed to improving its security capabilities and has invested significant resources in implementing tools to strengthen its security barriers. Additionally, the Office of Management and Budget (OMB) has instructed Federal agencies to immediately take a number of steps to further protect Federal information and assets and improve the resilience of Federal networks.

OPM continues to process background investigations and is working closely with OMB, the Department of Homeland Security and other experts across the government to detect and thwart evolving and persistent threats.

Protecting the security and integrity of the information entrusted to OPM is central to our mission, and we will continue to keep you apprised as the investigation continues.

Notification FAQs

Am I affected by the breach of personnel records? Can I expect to receive a notification that any of my records were involved?

As part of our ongoing notification process, we are committed to providing the most up-to-date information to ensure affected individuals have the necessary resources and information available to protect their interests and security. OPM is continuing to examine the data and systems that may have been compromised. For example, we have confirmed that any Federal employee from across all branches of government whose organization submitted records to OPM for future retirement processing may have been compromised—even if their full personnel file is not stored on OPM’s system.

These individuals were included in OPM’s initial estimate of approximately 4 million individuals whose data may have been compromised and are currently being notified. These records include service history records (such as the SF 2806), court orders, and other records and information that pertain to annuity calculations. The Personally Identifiable Information (PII) contained in these records includes name, Social Security numbers, dates of birth, and possibly other sensitive information.

Current and former Federal employees, from all branches of government may receive a notice if:

  • They currently work for a Federal agency for which OPM maintains the personnel records.
  • They previously worked for a Federal agency for which OPM maintains the personnel records.
  • They worked for a Federal agency or organization that submitted to OPM service history documentation to support future retirement processing. While organizations across all branches of government must submit these records under certain conditions, organizations may also submit these for various reasons, at various times, at their discretion. Some of these reasons could include:
    • When an individual moves from one agency or organization to another.
    • When an individual separates from an organization.
    • When an individual retires from an organization.
    • When an organization has a change in payroll service center.

If you are unsure whether your organization submits related documentation to OPM to support future retirement processing, please contact your organization’s Human Resources Office.

How will I be notified if my data is affected?

OPM began conducting notifications to individuals whose personnel records were affected using email and/or USPS First Class mail on a rolling basis from June 8, 2015 through June 19, 2015. However, it may take several days beyond June 19 for a notification to arrive.

In the case of the incident involving background investigations information, the investigation is still ongoing, and we will notify affected individuals as soon as is practicable. As with any such event, it takes time to conduct a thorough investigation and to identify the affected individuals.

What are the risks of identity theft with the information that was compromised?

Receiving a notice – email or letter – does not mean that the recipient is a victim of identity theft. OPM is recommending that people review their notices and the recommendations provided. In order to mitigate the risk of fraud and identity theft, we are offering credit monitoring service and identity theft insurance for 18 months. Every affected individual, regardless of whether or not they explicitly take action to enroll, will have $1 million of identity theft insurance and access to full-service identity restoration.

How long will it take to inform all the potential victims involved in the incidents?

OPM began conducting notifications to individuals whose personnel records were affected using email and/or USPS First Class mail on June 8, 2015 and will continue notifications on a rolling basis through June 19, 2015. It may take several days beyond June 19 for a notification to arrive by email or mail.

In the case of the incident involving background investigations information, the investigation is still ongoing, and we will notify affected individuals as soon as is practicable. As with any such event, it takes time to conduct a thorough investigation and to identify the affected individuals.

I haven’t gotten an email or a letter yet. Does this mean I am not affected?

For those individuals potentially affected by the incident announced on June 4 regarding personnel information, all notifications will be sent by June 19. Because of the volume of affected individuals, OPM is sending notifications on a rolling basis. Please note that while all emails and letters will be mailed by June 19 it may take several days beyond June 19 for notification to arrive.

Since the investigation is ongoing, additional exposures may come to light; in that case, OPM will conduct additional notifications as necessary.

May employees be granted duty time and use government telephones and computers to contact CSID to register for identify theft coverage?

OPM strongly encourages agencies to allow employees to contact CSID while on duty time. If an employee does not have Internet access, OPM strongly encourages agencies to work with those individuals, as appropriate, to provide them access.

Can my family members also receive services if they are part of my file/records?

At this time, we have no evidence to suggest that family members of employees were affected by the breach of personnel data. Since the investigation relating to the breach of background investigation data is ongoing, additional exposures may come to light. In that case, OPM will conduct additional notifications as necessary.

I received an email from opmcio@csid.com. Is this email from OPM, or is this a phishing scam?

OPM has contracted with a firm called CSID to help it send notifications as quickly as possible. For those individuals potentially affected by the incident involving personnel information, the emails will come from the sender “OPM CIO” from this address: opmcio@csid.com.

If you get an email about the breach from a different address, it may be phishing, which is defined as a criminal effort to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) for malicious reasons, by masquerading as a trustworthy entity in an electronic communication. Do not click on any links or provide any personal information if you suspect an email is phishing.

In a valid email, there will be a link in the body of the email that takes you to www.csid.com/opm, where you will need to click the “Enroll Now” button and provide your information. When you enroll, you will be required to provide personal information to begin your credit monitoring services.

If you would like to confirm that the email you received is valid, contact your agency’s privacy officer. The government’s privacy officers have been provided information by OPM to help them validate the emails for you.

How will OPM contact me if I no longer work for the government? What if I have changed agencies once or multiple times in recent years?

For those individuals potentially affected by the incident involving personnel information (June 4 announcement) who have left the government, OPM will send you a notification via postal mail to the last address the agency has on file. OPM will verify this address with the National Change of Address (NCOA) service before mailing a letter.

If you have moved between agencies, OPM will send an email notification to your government email account for the agency at which you are currently employed. If your email address is unavailable, notification will be sent via postal mail.

Since the investigation is ongoing, additional exposures may come to light; in that case, OPM will conduct additional notifications as necessary.

I received a notification that my personally identifiable information may have been exposed, but it came from the Department of Homeland Security. Is this the same incident?

This is a separate incident involving Department of Homeland Security employees. Please refer to the DHS-specific cybersecurity intrusion page for more information: www.dhs.gov/intrusion.

CSID FAQs

I deleted my email from CSID. How can I retrieve my notification information?

You can retrieve your enrollment information by calling CSID’s call center at 844-777-2743 (International callers: call collect at 512-327-0705).

If a notification was sent to an individual who has died since leaving Federal service, how can the next of kin take action?

To update contact information or deceased status, call CSID’s call center at 844-777-2743 (International callers: call collect at 512-327-0705). Otherwise, the next of kin do not need to take any further action. If the notification was received by mail, please destroy the letter and the mailer. If the notification was received by email, please delete the email.

What should I do if my agency’s email filter blocks delivery of my notification? What if my notification bounces back to CSID?

If you suspect your email has been blocked by your agency’s spam filter, work with your IT support office or help desk to release the email. If you want to verify the authenticity of the email, contact your Privacy Officer or CIO. OPM has provided those offices with information for verifying the notification emails. Also, in cases in which CSID receives email bounce-back messages for notifications, it is sending out additional notifications during the week of June 22 to 26.

What happens if I don’t sign up for credit monitoring? Will I be automatically enrolled?

All affected individuals are automatically enrolled in full service identity restoration, which helps you to repair your identity following fraudulent activity; and up to $1million in identity theft insurance, which can help to reimburse you for certain expenses incurred ifyour identity is stolen.

You must directly enroll in CSID’s credit monitoring and identity monitoring services by entering the activation code provided in the notification, establishing an account, and correctly answering a set of authentication questions. With enrollment in these services, CSID will ensure that your credit and credit card accounts are monitored for any suspicious or fraudulent activity.

What information will I need to provide to CSID to enroll in credit monitoring?

In order to enroll in CSID’s credit and identity monitoring you will need to provide:

  • First Name
  • Last Name
  • Full Address
  • Date of Birth (used to activate Court & Criminal Record monitoring)
  • Social Security number (used to initiate credit monitoring)

You will also need to create a username and password to access your CSID account. Once your account is created, you will be prompted to answer a set of authentication questions to validate your identity. The questions are generated by entries on your credit report such as “With which financial institution do you have an auto loan?” From that point forward, credit and identity monitoring services will be activated.

Can employees contact CSID anytime, or do employees need to wait for the notification containing the access code before contacting CSID?

We encourage employees to wait until they get notifications before calling CSID to allow for others who need technical assistance to get through. Notifications were all sent by June 19 but they may take several days to arrive.

If you believe you should have received a notification, CSID can verify whether you are eligible to enroll. Current and former Federal employees can contact CSID between the hours of 7 a.m. CST and 10 p.m. CST, Monday through Friday, and 8 a.m. to 8 p.m. CST on Saturday, by calling CSID’s call center at 844-777-2743 (International callers: call collect at 512-327-0705).

Why have the wait times for the call center been so long? What are you doing to change that?

We are sorry that some individuals contacting CSID have experienced long hold times.

The original call center phone number was meant specifically for affected individuals who received notifications. However, due to the high visibility of this incident, OPM and CSID decided to make it publicly available so that anyone could get information. As a result, many of the inbound calls into the call center are individuals inquiring about whether they have been affected and whether they are eligible for the protection services being offered. This unexpected influx of calls led to longer than expected hold times.

CSID is working quickly to decrease wait times. To address the additional volume of calls, CSID are adding several hundred more agents. It has also extended the call center hours. Individuals can now call from 7 a.m. to 10 p.m. CST Monday to Friday and 8 a.m. to 8 p.m. CST on Saturday. Highest call volumes are between 9 a.m. and 10 a.m. CST and from noon to 1 p.m. CST. Calls are answered in the order they are received.

CSID has also added an option for individuals who are calling because they have lost their PIN code or because they want to know whether they are affected. These callers will now be routed to a separate center that is exclusively dedicated to looking up PIN codes and answering those questions.

After registering with CSID, will fraud alerts automatically be in place for me with all three national credit bureaus, or will I also need to call the bureaus individually?

Credit monitoring differs from fraud alerts in that credit monitoring allows an individual to use their credit accounts without restriction and does not have to be renewed during the 18 months of service. Credit monitoring also notifies an individual of any changes to his or her credit file, including new credit inquiries, new account creation, new names associated with a Social Security number, employment history, and many other activities.

A fraud alert makes it more difficult for an identity thief to misuse your credit by requesting that a credit issuer contact you to verify your identity before it issues any new credit. A fraud alert lasts for 90 days, after which it must be renewed.

CSID can provide credit monitoring for you. But it can’t set up fraud alerts for you with the three national credit bureaus. That’s because the credit bureaus require individuals to sign up for fraud alerts personally. CSID can provide the contact information for Transunion, one of the three credit bureaus, to place a fraud alert on your credit accounts. Transunion will automatically work with the other two bureaus, Equifax and Experian, to set up a 90-day fraud alert.

Why is CSID credit card monitoring limited to five accounts?

CSID credit monitoring is not limited to five accounts. Your three-bureau credit monitoring will monitor all active lines of credit on your credit record.

In addition to credit monitoring, the service provided includes CyberAgent Internet Surveillance, which identifies compromised personal and financial information being traded in online black markets. You can enroll up to five credit cards to be monitored for this service.

While attempting to enroll at CSID, I was kicked out of the system. When I tried again, I received a notification that the PIN had already been used. What should I do?

Go to the CSID “login” page at https://opm.csid.com/login and enter your username and password. This will take you back to the last step where you left off in the enrollment process.

How do I confirm that I’ve successfully signed up for the CSID credit monitoring service?

In order to confirm that you successfully signed up, please log into your account at the following location: https://opm.csid.com/login. If you are having trouble accessing your account, please call CSID at 844-777-2743 (International callers: call collect at 512-327-0705).

What assurance do employees have that CSID will not resell or otherwise disclose employee’s information?

CSID does not resell or remarket subscriber information. You can read CSID’s privacy policy here: https://opm.csid.com/privacy-policy. If you are not comfortable with providing your personal information to CSID, you will still be covered by identity theft insurance and credit restoration services.

CSID is asking for more information to start my credit monitoring. Is CSID’s network secure? What about their website?

CSID adheres to strict Federal Privacy Guidelines. This means no additional marketing or solicitation will occur to individuals without OPM’s explicit request or approval. Credit monitoring requires specific information in order to activate, including your Social Security number. In addition, you will need to answer a set of authentication questions to establish your identity. CSID operates a highly secure system and website utilizing high standards for the data captured and the connections through which your browser accesses the online site.

CSID ensures security by employing best practices pertaining to data, and is required to comply with standards around data, systems, process, and personnel resources consistent with the same standards held for all three credit bureaus. CSID is subjected to regularly scheduled vulnerability scans, penetration tests, annual PCI audits, credit bureau audits, and other security related exercises that allow CSID to meet these compliance standards.

CSID fully encrypts critical values in production databases utilizing 3DES 168 bits method for encrypting sensitive data. This aspect prevents the exposure of sensitive information stored in the database to a hacker or unauthorized person.

The CSID site is scanned daily for thousands of hacker vulnerabilities. Once certified to this high standard of security, McAfee SECURE customers showcase their safety status by displaying the McAfee SECURE trustmark.

The TRUSTe Web Privacy Seal indicates that TRUSTe has reviewed a website’s privacy policy and it adheres to TRUSTe’s privacy program requirements. The seal also indicates that a website participates in TRUSTe’s privacy dispute resolution services and is subject to site privacy scans to detect vulnerabilities.

© 2016 Ian Smith. All rights reserved. This article may not be reproduced without express written consent from Ian Smith.

Tags:

About the Author

Ian Smith is one of the co-founders of FedSmith.com. He enjoys writing about current topics that affect the federal workforce. Ian also has a background in web development and does the technical work for the FedSmith.com web site and its sibling sites.

Top