Earlier this month the Office of Personnel Management announced that will be sending letters to victims of its cyber breach. Within these letters included information about identity theft protection as well as credit monitoring services that would be made available to individuals affected by the breach.
On October 1 OPM’s Beth F. Cobert, acting director of OPM, did confirm via an official blog post that the notifications letters would be sent out to those whose personal information was stolen in the breach. However, the government agency did not confirm the notification timeline. Clearance holders could still be waiting weeks or even months for a notification.
What was noted is that those affected should watch for a letter – and should not respond to emails, phone calls or other means of contact.
“Impacted individuals will be notified by OPM via U.S. Postal Service mail,” Cobert wrote in the post. “Email will not be used.”
The agency has confirmed that approximately 5.6 million of the impacted individuals had their fingerprints stolen, and Cobert added that “if an individual’s fingerprints were taken, this will be noted in the letter.”
While this is a concern, Federal experts have noted that – as of now at least – the ability to misuse fingerprint data is limited, but an interagency working group with expertise in area will consider and review potential ways that this data could be misused now and in the future.
This announcement and subsequent post followed OPM earlier announcement from June that the agency would offer credit report access, credit monitoring and even identity theft insurance along with recovery services to potentially affected individuals. The question following this and other breaches is whether those affected by one breach shouldn’t worry about being victims yet again, especially in light of another high profile breach.
Last week John Legere, CEO of T-Mobile, became the most recent chief executive to explain and subsequently apologize for a security breach that included the loss of consumer information after Experian, the Dublin-based credit bureau, was hacked and exposed T-Mobile USA customer data.
“The biggest irony is that the company that is there to provide the monitoring of credit data had a breach, and its own customers have now become victims,” said cyber security expert Ondrej Krehel, founder and managing director LIFARS. “How do you trust them or any credit monitoring service now?”
Quis custodiet ipsos custodes?
The Latin phrase, which was found in the works of Roman poet Juvenal, is literally translated as “Who will guard the guard themselves?” It could be most apt now considering that even credit monitoring services have been breached, and puts the spotlight on whether those affected by one breach might be placed in harm’s way yet again.
However, for those affected by the OPM breach there are still many good reasons to sign up for the service, especially as it is being offered for free.
“I don’t see any reason for clearance holder not to sign up for credit monitoring,” said Clifford Neuman, director of USC’s Center for Computer Systems Security.
Neuman takes the position that everyone – clearance holder or otherwise – should be using some kind of credit monitoring, “whether they were subject to the OPM breach, any other breach, or even no breach.”
He noted that this monitoring doesn’t even need to be from the particular provider that OPM or any other recent hacked company is offering. The key however is to have one’s credit monitored from a reputable company.
“You can get your credit report once per year for free from each of the three credit bureaus,” said Neuman. “Also, the ‘CreditKarma’ service is actually quite good and free. Neither of these options provides active monitoring, but many organizations, such as AAA, offer the monitoring component as part of their memberships.”
Overselling
The downside to any credit monitoring is that it can be overpriced and very prone to upselling of services that most people simply don’t need. Constant monitoring of one’s credit score may not be necessary for most people, especially since a credit rating is often only reviewed when one is making a major purchase – such as a house or a car.
Some credit bureaus will also provide that free report but only if the consumer actually signs up for the monthly service, which must be canceled before a bill is incurred. Other features that most people may not need could include monitoring of court records and even sex-offender registry monitoring.
While the upselling of features can be a problem, a more significant concern is that there are firms that are anything but legitimate and may in fact be little more than phishing attempts. Instead of protecting one’s identity by signing up for these users are essentially handing over their information to the bad guys!
“Many of the offers you might see through email, or from web searches could be a scam to steal your information,” Neuman warned. “One needs to be careful about where one goes to obtain such monitoring since criminals will often leverage media attention around a breach to scare affected individuals to connecting to fraudulent sites.”
Better Than Nothing But…
Post breach credit monitoring also isn’t actually a solution to the problem as much as something that can detect future potential issues. The monitoring won’t retrieve the lost or stolen data and it can’t ensure that any compromised information won’t be used further down the line. That is the bigger concern said LIFARS’ Krehel.
“It is better to have three years of free credit monitoring, much as it is better to have free anti-virus software rather than paying for it,” said Krehel. “But then what? You are only getting three years of monitoring, but your social security number and other personal information is out there the rest of your life.”
Worse still is what happens should the credit monitoring service experience a breach, which could mean even more information gets out there.
“Even they have had breaches,” said Krehel. “We’re in circle where you can’t trust the next service you use and have to fear for breaches. Unlike a credit card number your social number can’t be so easily replaced and monitoring also won’t resolve the issue. Those affected simply have to live with a higher level of worry.”
In this regard Krehel said it is much like living with a potentially life-threatening illness where the potential is always there that it can become a serious problem.
“For those who were affected by the OPM breach there is now a third truth in life; you are born, you’ll die and your data could be breached,” he added. “If you do not take your medication – which in this case is constant monitoring – it may get worse. So for the rest of your life you need to take that medication and keep the protection mechanisms in place to stay cyber healthy.”
Trusting the government he suggested was not enough.
“You have to help yourself,” said Krehel.
For this reason, even those skeptical of signing up for credit monitoring services should strongly consider it.
“Everyone should be using some kind of credit monitoring from a reputable source after something like this,” added Neuman.