If you’ve uploaded your data into the Office of Personnel Management (OPM) e-QIP database, there’s a chance your personal information was breached.
The New York Times reports, according to senior U.S. officials, that hackers were able to gain access to some of the OPM databases prior to being detected, and shut-down. Officials are confirming the breach, but aren’t yet saying who was responsible and what, if anything, was stolen.
Secretary of State John Kerry, who on July 10 was in Beijing, notes that the breach of the OPM’s system was not brought up with any specificity during his discussions in China, but that the overall topic of cyber activities was raised during his discussions with his Chinese counterparts. The Office of Personnel Management (OPM) and the Department of Homeland Security (DHS) are both claiming “Neither OPM nor the US-CERT have identified any loss of personally identifiable information,” which of course would be that of US federal employees – current or former. In addition, OPM is responsible for the bulk of US government security clearance processing, and thus would have in their databases sensitive personal knowledge which could be used by a hostile intelligence service in their targeting efforts.
While we wait for OPM, DHS and the other government agencies to determine the true extent of the breach, it may be wise to take some precautionary steps now. For example, all individuals who are or have been employees of the US federal government should sensitize themselves to the many techniques that both cybercriminals and state-sponsored entities may use to individually engage and compromise their persona or computing clients (laptop, smartphones or tablets).
Do not click on links contained in emails, prior to validating the provenance of the email with the originator. Similarly, do not open attachments – be they pictures, videos or documents.
Email – friend or foe
If not already standard practice, learn how to inspect the headers of all emails to determine point of origin and concordance of email address with email name. Spoofing an email address is not a high technological hurdle. Don’t believe the contents are safe just because you recognize the address.
Ensure all resident secure software is set for automatic updates. Watch for any anomalous events involving your devices be they professional or personnel and report those anomalies to their agency or department security department.
And lastly, follow the advice when it comes, from your specific agency on anomalous activities which your colleagues may have encountered. Also be mindful of new “friends” on social networks, as well as the engagement of friends and family (who may have been included on your SF-86).
Remember, you don’t get to choose who an adversary targets. Your defense, especially if this breach includes your personal identifying information, is to be alert that this information is being used and how it can be used with respect to you the individual. The information included on your SF-86 includes data that can put you at risk for personal and professional targeting.