OPM And Other Data Breaches And Your Personal Security

by on July 23, 2015

in consumer

Data Breaches Should Not Be Happening in this day and age

I am so sick of organizations we trust getting their computer databases breached. If they were to actually spend the money securing their databases, well, it would be nice, right? And can we really pay someone to “protect” us from the evils of Identity Theft? Is Lifelock worth it? (See my last paragraph for that one)

As far as data theft and breaches go, Sony was a huge breach, but that was more of an inside look at how Hollywood works.  Target made the news big time, and hopefully they’ve stitched up their leak. But then there were these other big time data breaches:

  • Blue Cross (Names, birthdays, email addresses, addresses, telephone numbers, Social Security numbers, member identification numbers, bank account information and medical claims information),
  • Anthem (Names, birthdays, medical IDs, social security numbers, street addresses, email addresses and employment information, including income data),
  • Chick-fil-A (Customer payment card numbers (reportedly)),
  • US Postal Service (Names, dates of birth, Social Security numbers, addresses, employment dates and emergency contact information),
  • Staples (Customer payment card numbers),
  • Kmart (Customer payment card numbers),
  • Dairy Queen (Customer payment card numbers),
  • Home Depot (Customer payment card numbers),
  • P.F. Chang’s (Customer payment card numbers)…

Well, you get the idea. People and organizations we trust are losing our data. Data that can lead to identity theft.

– – –

It’s one thing when a dump like Ashley Madison gets breached, so be it, that’s like Karma. (Best quote I’ve seen related to this breach was something akin to, “It feels horrible getting your data breached and out there, almost like a violation of your trust!“)  But over the last few years, places like Target, and now with the OPM data breach, it is disgusting how little emphasis is put upon protecting the data you trust to these businesses with, while they eyeball the bottom dollar.

When I was a network admin, I was once told by a higher up that IT “is a necessary evil.” Which I translated to “IT is needed but the costs are not wanted.”

In 2014 there were 783 data breaches, with the Medical/Healthcare industry being 42% of them, the Business sector accounted for 33% and the Government/Military accounted for 11% of them.

Then in April 2015 the OPM.gov site reported being breached, declaring records for 4.2 million people were compromised. It was later noted that another breach, in May/June of 2015 nailed more folks, making it 21 million people in their database who had their sensitive information, including Social Security Numbers (SSNs) stolen during this breach. Of these 21 million folks, it includes almost 2 million spouses or co-habitants of the folks in the OPM system.

– – –

In case you don’t know, The OPM is “The United States Office of Personnel Management (OPM)” and is an independent agency that manages the civil service of the federal government. Or, if you want to put it all out on the table, they process the paperwork for folks who get their government clearances, who work in the defense and other related industries.

Meaning if you have any kind of clearance, your data has been absconded with.

Now for those with clearances, they’ve been told about this and are aware. They have also been informed that the agency will be distributing short-term Identity Theft packages to those impacted by this data breach.

The breach took place in April and two months later no one has yet to be notified by the OPM. Updates that impacted folks get are from hearing news updates via third parties like MSN or on the OPM website.

Two months where 21 million folks are left stranded, and what, hoping for the best?

If you have filled out an  SF-86, SF-85, or SF-85P form you are one of the 21 million. The short list of those affected include:

– – –

  • Current and former Federal government employees
  • Current and former Federal contractors
  • Job candidates for federal employment who were required to complete a background investigation
  • Spouses and co-habitants of current and former Federal employees, contractors, and job candidates whose information was stolen
  • Immediate family, close contacts, and references of current and former Federal employees, contractors, and job candidates whose information was stolen

– – –

As of a few days ago OPM is working with other agencies to set up a system to inform the victims. They’re going to hire one centralized outside contractor to start notifying the impacted folks, and yet they have not even started taking bids yet.

But I am not sure I would hold my breath. In the last government data breach, some folks were telling me it was a year before anyone was notified.

To me this seems irresponsible to let something like this go on for any period of time after such a breach.  But on the bright side, the CEO of OPM stepped down. Won’t that make everything better!?

Other actions that OPM says it is doing, where I am taking the word “is” as a passive state, is,

“will work with a private-sector firm specializing in credit and identity theft monitoring to provide services such as:

Full service identity restoration support and victim recovery assistance
Identity theft insurance
Identity monitoring for minor children
Continuous credit monitoring
Fraud monitoring services beyond credit files

The protections in this suite of services are tailored to address potential risks created by this particular incident, and will be provided for a period of at least 3 years, at no charge. “

Their statement indicates that impacted folks will receive notices in the coming weeks. Then again, weeks could be a geological reference.

The Fix For the Data Breach

I’m not sure I’d wait for them, but rather, possibly go ahead and cover yourself first. Remember, the only person truly looking out for you, is you. I’d take a peek at LifeLock and other services and possibly look into picking it up now, and then when/if OPM contacts you, you can work out the details later.

Are There any Precautions You Can Take?

Here’s a snippet from Time.com:

If your email address has been stolen…

Watch your inbox for messages requesting information or requesting you to click on a link. If you receive a suspicious email from a company you do business with, call the sender to verify that they did indeed send it.

If your password has been stolen…

Change your password for that account immediately. If you use the same code for other accounts, change those as well.

If your credit or debit card number has been stolen…

For credit cards: Call the creditor and ask for a new card with a new number. Some creditors will automatically reissue cards to affected customers in wide-scale breaches. You also have some protections under the Fair Credit Billing Act.

For debit cards: Since the card was not lost, you are not liable for any unauthorized transactions if you report them within 60 days of receiving your statement. Still, you should cancel the card and change your pin. If the bank account number was also exposed, close the account and open a new one with a new number. Consider asking for a verbal password, too, which prevents bank personnel from discussing your account with anyone unable to provide that password.

If your social security number has been stolen…

Contact one of the three major credit reporting agencies and have them place a fraud alert on your account. That agency will then be legally bound to notify the other two agencies to do the same.

Sometimes the letters from breached companies also contain offers for free credit report monitoring provided by the company. While these programs are not generally worth paying for—since you can monitor your own credit for free—you may as well accept it if it’s being handed out. Monitoring services will alert you to some uses of your SSN quicker than you may be able to spot through your credit report, meaning you can resolve any problems quicker.

(Alongside these snippets I quoted are from Time, there are additional resource links you should take a peek at on the site. See my source list below for the Time link.)

Again, don’t depend on anyone but yourself to look out for you. Take action and be on top of things. Especially now a days. But…

Is Lifelock Worth It?

After saying to grab Lifelock, it got me to thinking and I decided to look around. One site had a horrible user rating score for the the company. I then went straight to Consumer Reports who had this to say:

Protect yourself for less. Monitor your financial statements and credit reports for suspicious activity that can lead to identity theft. If your credit cards are lost or stolen, you don’t need Lifelock to notify your financial institutions to cancel and replace them. If your Social Security number is out there, we suggest that you put a security freeze on your credit reports at the big three credit bureaus–Equifax, Experian, and TransUnion.

There’s more at their LifeLock ID Theft Protection article. Go peruse that for yourself, or the “Do It Yourself Safeguards” article.

If you are/were one of the victims from the OPM or any other data breach, you may want to rethink your strategy and get proactive on the matter.

– – –


{ 0 comments… add one now }

Leave a Comment

Previous post:

Next post: