A large portion of my day deals with the financial needs and retirement planning of federal employees. So, when this recent Office of Personnel Management (OPM) hack took place, I was concerned about my federal clients, friends and family. I was not initially prepared for the scope and impact this hack could have on Feds investments and retirement savings.
Like many others, I feel confident this hack had more to do with international cyber warfare than individual cyber home invasions. Nevertheless, past and current federal employees have had their privacy invaded, their identity compromised, their reputations put at risk and their credit threatened. Worse yet, their employer, their very own federal government, virtually handed over the proverbial keys to the thieves (by providing inadequate information protection).
First let’s look at what we think we know –
- The Office of Personnel Management (OPM) was hacked in December of 2014.
- The gaping hole was finally (by accident) detected in April of 2015.
- OPM announces hack on June 4th 2015.
- At least 4 million (perhaps as many as 18 million or more) federal identities were compromised.
- The hack was initiated from within China.
- OPM has offered 18 months of ($1 million) liability insurance.
What may be true – (According to a letter written to OPM director Katherine Archuleta by Federation of Government Employees President, J. David Cox on June 11th, 2015)
- The OPM Central Personnel Data File was likely the hacker’s targeted database.
- The hackers have your Social Security Number, birthday, military records, job and pay histories, various insurance information (medical history), age, gender and race data.
- Social Security Numbers may not have even been encrypted. That would mean that your IPhone may be harder to hack than a highly sensitive federal database.
- Every current federal employee, every past / retired federal employee finds themselves in the middle of a cyber-nightmare. Potential for blackmail, threats and personal identity theft.
I recently held a financial fitness review with David (a retired Fed) when our discussion turned to the OPM hack. This was my first meeting with David, but, I could see he was greatly concerned about the security of his retirement funds held with a different wealth manager. I offered David some “low tech” solutions to a “hi tech” problem. I suggested David change his login and password. This time taking into consideration that someone in the dark cyber underground knows:
- David’s mother’s maiden name
- where he went to school
- his oldest brothers middle name
- his first pets name
To protect his retirement funds, David created a completely unfamiliar login, password, security questions and answers. In a sense the old David now belongs to someone else, he had to recreate a new David.
As a past Internal Revenue Service (IRS) employee, my mind went to the already massive problem the IRS deals with concerning the theft of identities. According to one of their websites, between 2011 and 2013 the IRS stopped 14.6 million “suspicious” returns.
In some cases illegal aliens use stolen Social Security Numbers (SSN) to get U.S. jobs. Cyber crooks do the same thing to our tax collection system that they do everywhere else…they steal from it. I remember hearing about an identity protection pin (IP PIN) that the IRS issues, to taxpayers, when it confirms an identity theft situation. This PIN then has to be used in each subsequent year to prevent fraudulent filing of federal income tax returns.
Now that I remember this fact, a terrifying realization has hit me. I recognize a potentially frightening scenario that I believe could happen to federal employees on a massive scale…if not changed immediately.
Scenario – You file your legitimate tax return in a future year. During that year, so does the hacker or someone that purchases your hacked identity.
Your Social Security Number (SSN) now qualifies for the IP PIN, since there has been a potential identity theft attempt with your tax return. However, your cyber doppelganger beats you to the punch. He fills out the IRS form #14039 and “HE” receives the IP PIN (online), not you! Now you are on the outside looking in at your own identity. In a surreal set of circumstances you now have to prove who you are. In the government’s eyes the thief is more likely to be you than you are.
How did he do it? The information that has been reported stolen, in the OPM hack, is the same information required to obtain an IP PIN. IP PIN Steps – You have to:
- Request the IP PIN online.
- Provide your email address.
- Provide your SSN
- Provide your Date of Birth
- Show the previous year’s filing status
- Provide your mailing address from you most recently filed tax return.
What’s a concerned Fed to do?
I have some suggestions that I am currently addressing with my clients:
- Let your voice be heard, contact your federal representative – Lifetime identity protection and identity insurance for everyone touched by this debacle should be a minimum starting point. I agree with J. David Cox, the 18 months of identity liability insurance just isn’t enough. What happens when the 18 months have passed? 18 million is a lot of identities to sift through. Your name may be at the bottom of the list. It could take the cyber thieves 19 months to even get down to your name. Are you on your own at that point?
- Contact your congressional leaders. I believe the IRS should issue IP PIN’s to every Fed now, before someone else shuts you out.
- Change all your logins and passwords. I am not a “techie,” but I would suggest that each login for each account you have should be, alpha-numeric with special characters and completely dissimilar from one another…completely.
- Get your free credit reports (every year) from www.annualcreditreport.com. Check for any accounts or charges you don’t recognize.
- File taxes early.
- Check out the Federal Trade Commission (FTC) “IDENTITY THEFT” page.
- Request a new PIN from Thrift Savings Plan (TSP). You can change your PIN at any time. To do so, call the Thrift Line (1-TSP-YOU-FRST) enter your TSP account number and existing PIN. Follow the directions to change your PIN.
TSP seems to be (in my opinion) the one area that “May Not” be any more vulnerable today than it was a year ago. The TSP requires a PIN to access accounts. They use the good old United States Postal Service (USPS) to get that PIN in your hands. Cyber creeps have a hard time coming up with info not floating around in cyberspace.
But, my best piece of advice is, don’t wait, take steps NOW to protect everything you have worked for!
The opinions voiced in this material are for general information only and are not intended to provide specific advice or recommendations for any individual.