The entrance to the Theodore Roosevelt Federal Building, which houses the Office of Personnel Management headquarters, in Washington, D.C. (Photo: Mark Wilson/Getty Images)
The public may never know the full national security repercussions of a pair of catastrophic hacking attacks on the Office of Personnel Management (OPM) that were disclosed earlier this month. The perpetrators appear to have breached OPM’s systems and scooped up personal information, including Social Security numbers, on millions of current and former federal workers and contractors.
The White House has thus far refused to pin the unprecedented intrusion on any one country, though Democratic Senate Minority Leader Harry Reid has blamed “the Chinese.” The number of federal workers and contractors potentially affected is in dispute but seems to be escalating. And there are reasons to doubt early denials from OPM that the assailants made off with sensitive security information about intelligence staff and military personnel.
But the potential personal impacts on individual government workers are becoming clearer, thanks to an OPM email offering millions of them a range of services including identity theft insurance policies worth up to $1 million.
The offers came in a message from OPM’s chief information officer, Donna Seymour. Yahoo News obtained a copy from a source who received the message shortly after 6 p.m. on June 9, four days after OPM admitted to the disastrous breach.
The source, who requested anonymity, said the agency they work for was also offering counseling services “for anyone who is experiencing stress from the situation.”
Seymour’s chilling notice announces, “You are receiving this notification because we have determined that the data compromised in this incident may have included your personal information, such as your name, Social Security number, date and place of birth, and current or former address.”
The rest of the message conjures up nightmare scenarios for what someone might do with that purloined information — such as committing a crime under a federal worker’s stolen identity. It also emphasizes that “while we are not aware of any misuse of your information,” OPM has partnered with a private-sector identity theft protection firm called CSID to mitigate the damage.
An OPM employee leaves the building at lunchtime. (Photo: Gary Cameron/Reuters)
Email recipients got personalized ID numbers to sign up for one of CSID’s marquee identity theft protection programs, free of charge, for 18 months. But even those who don’t sign up will benefit from the insurance and “full-service identity restoration” through Dec. 7, 2016. This date also happens to be the 75th anniversary of the Japanese strike on Pearl Harbor.
In addition to the predictable credit-monitoring services, CSID also “monitors websites, chat rooms and bulletin boards 24/7 to identify trading or selling of your personal information,” the email notes.
It will also track court filings and sound the alarm “if your name, date of birth and Social Security number appear in court records for an offense that you did not commit.”
And it promises to detect efforts to redirect affected workers’ regular mail if someone attempts to use a stolen Social Security number or uses personal information to get “short-term, high-interest payday loans that do not require credit inquiries.”
CSID also promises to “ensure that your identity isn’t being used fraudulently in the sex offender registry.”
“We regret this incident,” Seymour writes. But “nothing in this letter should be construed as OPM or the U.S. Government accepting liability for any of the matters covered by this letter or for any other purpose.”
The message also warns that federal workers and contractors should be vigilant for possible follow-up mischief.
“Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about you, your employees, your colleagues or any other internal information,” it says. “If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.”
Federal workers and contractors should not share their personal information or details about their organization “unless you are certain of a person’s authority to have the information.”
“Additionally, if you are or have been a Federal employee or contractor and become aware of any contacts or other activity that could raise security concerns, you should immediately contact your security officer or former security officer for further guidance,” it says.
Not all federal workers and contractors have received the message. Officials say it’s going out to potentially affected employees in waves.
White House press secretary Josh Earnest speaks about the hack into OPM’s computer system. (AP Photo/Evan Vucci)
“I have not received that message at this point,” White House press secretary Josh Earnest said Friday. “My understanding is that the notification process, though, is one that is a rolling one.”