More than a million OPM hack victims still not notified

[Audrey McNeil <audrey () riskbasedsecurity com>]

https://www.yahoo.com/tech/s/more-million-u-opm-hack-victims-still-not-204712825.html


More than a million victims of a massive hack of U.S. government computer
files have still not been officially notified that their data was
compromised and that they are eligible for free credit-monitoring
protection, officials said on Friday.

The government this week finished sending notifications through the Postal
Service to 21.5 million people affected by the breaches, said the Office of
Personnel Management (OPM), the federal hiring agency that was hacked.

The intrusions, linked to China, began in May 2014 and were not discovered
and announced publicly until a year later.

The postal notifications should be received by the middle of next week, but
about 7.0 percent of those hacked, or roughly 1.5 million people, could not
receive notification letters because their addresses have changed or are
not on file, OPM said.

The hack exposed names, addresses, Social Security numbers and other
sensitive information for current and former federal employees and
contractors, as well as applicants for federal jobs and individuals listed
on background check forms.

In an interview on Friday, an OPM spokesman said it would resend postal
notices to updated or changed addresses and rely on a "media campaign" to
tell people they can check online to see if their information was hacked.

“We’re going to clean up that 7.0 percent and get as close to 100 percent
as possible," OPM spokesman Sam Schumach said, calling 93-percent
notification "a really high percentage."

OPM will not rely on email notifications to close the gap. Victims of a
smaller, related OPM hack were notified by email and given instructions
about what to do, but some experts said the emails unfortunately resembled
a phishing scam.

"It's just not as secure," Clifton Triplett, OPM’s newly appointed cyber
adviser, told Reuters on Friday.

The government awarded technology firm Advanced Onion a $1.8 million
contract to help locate and notify those affected by the data heist. More
than $130 million was awarded to Identity Theft Guard Solutions to provide
victims credit and identity-theft insurance for three years.

Cybersecurity researchers have said there is no indication that information
from the hack has appeared for sale on online black markets and that this
suggest the Chinese government, not criminals, stole the data trove.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!