Here’s How OPM Is Telling Hacked Feds Their Data Was Stolen

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.nextgov.com/cybersecurity/2015/10/heres-how-opm-telling-hacked-feds-their-data-was-stolen/122936/

Victims of a data breach that exposed intimate details on national security
professionals inside and outside government, along with their families have
begun receiving a generic notification letter directing them to a
government website for assistance.

But, be forewarned, the site at the Office of Personnel Management, the
agency responsible for the data, directs affected individuals to a dot-com
web page for entering personal information.

The recently updated OPM site also now displays exactly what these letters
look like, apparently to prevent any of the 21.5 million victims from
responding to fraudulent letters.

There are two types of notices: one for the roughly 16 million employees
and family members whose Social Security numbers are known to have been
compromised and another for the roughly 6 million people whose fingerprints
were also copied.

The letter contains a PIN that is required to register for three years of
ID protection services.

The Defense Department, in coordination with OPM, has propped up the
infrastructure to mail the letters, hunt down addresses and let people who
think they might have been affected self-check their status.

The letters carry the insignia of OPM on the envelope and letterhead,
according to recipients.

The message inside is from acting OPM Director Beth Cobert. It reads, in
part:

"If you applied for a position or submitted a background investigation
form, the information in our records may include your name, Social Security
number, address, date and place of birth, residency, educational, and
employment history. personal foreign travel history, information about
immediate family as well as business and personal acquaintances, and other
information used to conduct and adjudicate your background investigation.
If your information was listed on a background investigation form by a
spouse, or co-habitant, the information in our records may include your
name, Social Security number, address, date and place of birth, and in some
cases, your citizenship information."

The message to people whose biometrics were stolen is more specific: "Since
you applied for a position or submitted a background investigation form...
Our records also indicate your fingerprints were likely compromised during
the cyber intrusion."

The hack, which was first disclosed in June, covers individuals who applied
for a clearance to handle sensitive information as far back as 2000,
according to officials and was purportedly part of a cyber espionage
campaign backed by the Chinese government.

Callers to a 1-800 number provided in the letter are encouraged to enroll
online rather than over the phone. A recorded message said notification
letters are being “continuously mailed out with an estimated completion of
mid-November.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!