News appeared last week that more than a million American victims of the Office of Personnel Management (OPM) hack had not been notified that they were involved.
After the US Government finished sending postal notifications to 21.5 million people, Venture Beat reported that seven per cent of those hacked (around one and a half million) could not be informed that they were involved because the OPM did not have their addresses.
The hack took place in June 2015 and leaked names, addresses, social security numbers and other sensitive information for current and former federal employees and contractors. Initially it was reported that 1.1 million were affected, but it was later revealed that 5.6 million fingerprint records were breached.
Initially those people who could not be contacted were sent notices to update their contact details (we assume this was done by email or phone, rather than posting to the same address over and over) while a 'media campaign' was launched to tell people that they can check online to see if their information was included in what was hacked.
As part of that checking procedure, the Department of Defence contracted a company (rather than missing persons) named Advanced Onion to help trace those missing people. The DoD also established a verification center for potential victims.
So far, I guess this is satisfactory. The US Government was making efforts to inform people if they were caught up in the breach and give them the chance to change details and take advantage of credit monitoring services.
On its website, the OPM has said that “if you believe that you were impacted, but have not yet received your notification letter, we ask that you wait until mid-December before contacting the verification center”. That's correct, a full six months since the breach and people are asked to wait until this week to contact them to see if they were included.
In the letter which is being sent out, posted here by John Matarese, it states that OPM has partnered with Department of Homeland Security and US CERT to determine the impact upon personnel. “OPM immediately implemented additional security measures and will continue to improve the security of the sensitive information we manage”.
However for those who are concerned, there was a six month wait to find out if you were affected. Speaking to consultant Jay Abbot, I asked him if he felt that the OPM breach was a demonstration of poor contingency plans, and should there be better notification plans in the event of a breach.
He agreed that the OPM breach was bad, but the response timeline would have been related to the fact it was in central Government, and that would have needed investigations to be done and double and triple checked before any public action could be made.
He said: “In my opinion it’s not a great benchmark for the timeline in Government or the private sector, but we have to make assumptions that given the risk of exposure to critical ‘in theatre’ assets that by the time the letters were posted, many additional actions that the general public are not privy to would have been completed.
“In Government this is always going to be an issue. The public perception of action does not account for those actions that they are not privy to.”
So is this a simple case of prolonged investigations that is relevant to the public sector and .Gov environments? Abbot said that a breach in the private sector is dealt with speed and openness, despite the concept of company sensitive information.
“People just want to know you are doing the right things as fast as you can,” he said. “In that case, leveraging multiple forms of engagement with your customers makes sense. If you’re a large B2B company with a few large clients then social media isn’t really your target, but speaking to your clients face to face might be the better option.”
In 2015 we have not seen the level of breach that occurred in 2013 (see Adobe and Target) or 2014 (see Ebay, JP Morgan Chase), but we have seen breaches which have impacted people's confidence in the websites (Ashley Madison) and services (TalkTalk, Anthem) that they choose to use.
In the case of the OPM, this is significant in my view as it is a US Government department and while it is not the case that delivers an expected standard of security, but in this case it was both former and current employees and former contractors whose details were breached.
It has also been reported this week by the Washington Post that reporters who write about the Defense Department, the White House and the CIA for The Washington Post confirmed that they too had received the notification letters, telling them their personal information may have been stolen and urging them to sign up for free credit monitoring and identity-theft protection.
With so many breaches running into millions of records lost, I am concerned that we are in danger of being desensitized to the impact of a breach. In the case of OPM, this is a Government department losing data which is the next level in my opinion – the company was trusted with the security of personal data and failed in that task.
The UK is not immune to such an incident; the HMRC loss is fresh in the minds of many people in security. This incident has reminded us that Government is as vulnerable to attacks and breaches as the private sector, and the public are still at risk when data is held.