After denying Chinese hackers had gained access to federal security clearance background data during a December hack, OPM officials acknowledged Friday the data stolen included background investigation data for current and former federal employees.
Officials didn’t acknowledge who may be affected by the breach, but the numbers are likely to be staggering. Earlier this week OPM announced the personnel files of more than four million current and federal employees had been stolen. Data included unencrypted social security numbers, performance reviews, names and dates of birth, and more. For employees who had their background information data stolen, the breach is even more significant. The entirety of at least some SF-85 and SF-86 background investigations held on OPM servers were breached, meaning sensitive data including relatives, spouses, and sensitive information on everything from mental health counseling to sexual behavior is now in the hands of the Chinese government.
It’s a foreign intelligence data mine, and is likely to be used for both phishing and blackmail against current cleared employees, as well as retaliation against any Chinese-born friends or family members who may have been indicated on the paperwork. The breach doesn’t just affect currently employed professionals, however. Officials say the background investigations of employees who were denied clearances, as well as those who withdrew from the employment process, were also compromised.
How do you know if you were affected?
OPM stated it plans to notify affected individuals via email. Some federal employees report they have already received notification their personnel data was stolen, including information on credit monitoring and theft protection services. Even if you don’t receive notification, it’s a good idea to assume your data may have been compromised, if you are a current or former federal employee or cleared professional whose clearance was processed through OPM. Given the slow trickle of information, the extent of the breach is likely to continue to get worse, before it gets better.
What can you do?
1. Be wary of any emails.
The phishing attacks are likely to come from beyond Beijing. Given the widespread media coverage of the attack, copy-cat spear phishers will use this as an opportunity to send federal employees or contract workers emulative emails about credit monitoring services. Don’t reply or download any emails from a source you don’t trust. When in doubt, notify your security officer.
2. Review your SF-86.
Now is a good time to review your SF-86 and consider if any information included could be a gold mine for a Chinese operative. Notify friends, family members and co-workers listed on the form to beware of any suspicious email or in-person communication. Note that their contact information – including addresses and phone numbers – has been breached, as well. Also notify your spouse to be aware of any suspicious credit activity, as spousal social security numbers are also included on the forms.
3. Invest in a quality anti-virus program.
Anti-virus software is far from a complete fail-safe, but something is better than nothing. Now is the ideal time to do an audit of your computer system and be sure no spyware is present. Make sure your software programs are up-to-date, and scan your system regularly. But beware that an educated user is the best protection, and know that both your professional and personal email addresses are likely to be a source of future – and likely very sophisticated – spear phishing attacks. Warn anyone else who may check your email address – spouses, children, personal assistants – not to open any email or download any programs without verifying the information.