“It takes 20 years to build a reputation and few minutes of cyber-incident to ruin it.”
― Stephane Nappo
“This letter is to notify you of a potential compromise of your Personally Identifiable Information (PII). During the May to July 2019 timeframe, some of your personal information, including your social security number, may have been compromised in a data breach…”
Like a couple of hundred thousand others, my standard form letter from the Defense Information Systems Agency (DISA) arrived last week, notifying me that once again, my personal information had been compromised in yet another data breach. As I read the letter, I wasn’t even mad. I just sighed. It’s not even worth wasting the energy on anger. It’s happened before. It will happen again.
I was among the 21 million people exposed in the 2015 Office of Personnel Management breach, so this was nothing new. Like many others, I now enjoy identity monitoring services for at least the next five years, and probably longer with this latest breach. At some point, I’m guessing it will be mine for life, since I don’t see a time when this will stop occurring. Maybe in the future, identity monitoring services will be issued to new government employees, handed out like uniforms and boots in basic training. Despite the best efforts of the faceless bureaucrats in the Government Accounting Office, that seems to be the direction we’re heading.
No, I’m not angry. I’m not even surprised. Maybe a little disappointed. The form letter from DISA was the typical tripe you receive in these incidents, with no useful information and even less transparency. For once, I’d like to receive a letter that actually explained what happened. In this case, the breach occurred months ago, plenty of time for DISA to identify the cause of the breach and offer some sort of explanation. It seems the least they could do, considering that 200,000 of us now need to be concerned that our personal data is, once again, on the loose. Was it Jeff and Tina, upset over being denied immortality in annual information assurance training? Was it Karen, leaking our data after being ridiculed with impunity on social media? Or was it Carl, tired of being told to shut up? We may one day know the answer, but we won’t hear it from DISA.
Instead, we hear the empty apologies: “We deeply regret any inconvenience the potential data breach may cause you.” Not to put too fine a point on the issue, but the only regret anyone feels comes from being forced to admit the breach. No one really cares if you’ve been inconvenienced. No one is all that concerned about your personal data being compromised. The only thing that really matters is having to explain another entirely avoidable breach. We’re collateral damage. Unfortunate, but really not all that important.
No, I’m not angry. One day, the truth behind the breach will be exposed: someone who fell prey to a phishing email, someone who left a government laptop sitting in the passenger seat of a rental car, someone who just didn’t do their job securing our information. But nothing will change. Eventually, you’ll get an email notifying you that your credit card information has been hacked. You’ll get a letter informing you that your financial data has been leaked. You’ll get a phone call telling you that your social security number has been frozen (you can ignore this one). This is the new normal.
The last sentence of the DISA form letter includes an email address and an offer to answer any questions or requests for more information. While I have zero confidence that such an email would produce any answers, I’m tempted to try. I’ll keep my expectations low, pretty much at the same level I have for them securing my personal information.