Data hacked?
- Call the companies where you know fraud occurred.
- Place a fraud alert and get your credit card report.
- Report identity theft to the Federal Trade Commissi0n.
- File a report with your local police department.
- Close new accounts opened in your name.
- Remove bogus charges from your accounts.
- Correct your credit report.
- Consider adding an extended fraud alert or credit freeze.
- Report a misused Social Security number.
- Stop debt collectors from trying to collect debts you don't owe.
- Replace government-issused IDs.
Source: IdentityTheft.gov
Thousands of local federal government employees are bracing to find out if their personal data was compromised in a massive data breach that may have intruded on the personnel records of 4 million U.S. government workers.
The scope of the breach included Department of Defense employees with security clearances who could begin receiving notification Monday of the data intrusion at the Office of Personnel Management, according to an agency spokesman.
Some of the largest local federal government installations include Wright-Patterson Air Force Base with more than 26,000 mostly civilian employees, the Springfield Air National Guard Base with a total of 1,200 employees and the Dayton VA Medical Center with more than 2,100 federal workers.
Thomas C. Robinson, executive assistant of the American Federation of Government Employees Council 214, said Friday the breach was “a reason for great concern.” The council represents more than 6,000 workers at Wright-Patterson.
Government personnel records have a broad array of information that raise the risk of identity theft if compromised, officials said.
“It’s as broad as this: Social Security number, your address, your birthday, your service computation date, your entire work history, your pay, your education,” he said. “For identity theft, this kind of data is more than what you need. It’s sufficient to make life miserable for the employee.”
The Office of Personnel Management has access to personnel and retirement records, and security investigation questionnaires “that would detail one’s life history quite well,” Jeff Hughes, president of Tenet 3, a cyber security firm in Dayton, and a former Air Force researcher, said in an email.
Robinson expected the labor council would be informed about the breach. “When we are better informed, we will know if we are very alarmed or just alarmed,” he said Friday.
Active-duty military and contractor personnel were not affected unless they had prior civilian service, according to Samuel Schumach, press secretary at the Office of Personnel Management.
Schumach said in an email the agency did not have a breakdown by locality on the number of affected individuals.
Impacted workers will be notified
Those affected will receive notification via email or first-class mail starting Monday and continue notification through June 19. The federal government urged employees to take actions to protect their personal information.
“It’s a lot of information that whoever the perpetrators are that they have now gathered,” said Thomas Skill, University of Dayton associate provost and chief information officer. “It’s substantially a big issue for us.”
U.S. government officials reportedly attributed the attack to computer hackers in China, but China has contended the allegations were unproven and irresponsible, the Associated Press reported.
Local experts weigh in
Some local cyber security experts cautioned more investigation was needed to determine the origin of the attack and the intent of the hackers.
“The first thing to understand in any hack or attack … is that attribution in cyberspace is very, very difficult so we have to be careful,” said Vance Saunders, Wright State University director of cyber security programs. “It’s very, very easy to hide oneself in cyberspace.”
“In this situation the scary part is we don’t really know if it’s a nation-state or not even though there’s a lot of speculation out there right now,” Skill said. “The nation-state threat is very real and it’s kind of an emerging threat and we don’t quite know what that will mean for us down the road.”
Federal authorities reportedly discovered the breach while installing additional cyber protections this spring. The Federal Bureau of Investigation and the Department of Homeland Security were investigating the intrusion, reports said.
“The reality is these systems that are being breached are massively complex and the great majority of those intrusions are detected and defended,” Skill said.
“The problem is the bad guys are moving faster and they’re working smarter than the good guys right now. The challenge is the good guys have to be 100 percent successful. The bad guys only have to be one time successful.
Cyber attacks have happened faster and at a more furious pace, he said.
“There are a lot of politicians talking about the need for cyber security but nobody has stepped up yet and said we need to make a major national security investment,” he said.
Hughes said the nation needs to move beyond compliance checklists, which have a place to protect data, but aren’t enough.
“…We as a nation must move beyond compliance toward continuous monitoring using strategies that mitigate the threat while being flexible enough to change in response to the threat,” he wrote.
Saunders said people need to educate themselves and take responsibility to protect critical data without waiting for technology to do it alone.
“The government can’t do it for us,” he said. “Our companies can’t do it for us.”
Among other security measures, a person could initiate a 90-day credit fraud alert on themselves, update and create stronger passwords on critical accounts, and use a two-factor authentication that requires a log in with a password with the site sending a text to a smart phone with an additional pass code, Hughes said.
“You want to make it hard for someone who is not you to use your data,” he said in an email.
About the Author