OPM Data Breach Letters Have Gone Out
Last June, the federal government’s Office of Personnel Management (OPM) made a startling announcement: it had been the victim of a sophisticated, large-scale hacking event.
The resulting data breach compromised the highly sensitive information of more than four million government employees, including names, Social Security numbers, birthdates, and more. It didn’t take long before another data breach was discovered. The federal workers who have the highest levels of security clearance were among those employees who were affected by the second data breach. That’s important because their applications for those clearances (SF-86) were lengthy—more than one hundred pages of personal history, information, and in some cases, even fingerprints.
These stored files included highly-detailed information on practically everyone they’d ever met: college roommates, former coaches and employers, distant relatives, and more. When cybercriminals stole that extensive data, it brought the number of people affected by the hacking event to well over 21 million, many of whom might have had no idea the government even had their information. As of this week, the OPM and the Department of Defense have finished mailing out the notification letters to everyone who was impacted by this event. With the abundance of mail coming through the postal system at this time of year, it may be a few more days before those letters reach all their intended recipients.
So what do you do if you receive a letter from the OPM? The same thing you do if you receive any notification letter informing you that your data has been compromised. First, you don’t panic, but you also don’t disregard it as just another 21st century crime. You read it very carefully for any specific instructions, you follow those instructions, and you put the letter in a safe place.
A typical notification letter starts by informing you exactly what information was compromised in the breach. In the case of the four million employees, hackers got everything. But for the “outsiders” in the secondary breach who were only listed as additional sources of verification and reference, their Social Security numbers, for example, aren’t believed to have been gathered in the first place and therefore weren’t compromised. In any hacking event or data breach, always read the notification carefully to learn exactly what personal information the thieves obtained in the incident.
The letter should also provide you with suggested steps you should take. For a breach that only compromised email addresses and account passwords, you might be instructed to simply change your account password and look over your account history carefully. However, in a situation where all of your sensitive identifying information was obtained, you will be given more detailed instructions and possibly even offered credit monitoring and protection.
Finally, it’s important that you put your notification letter in a safe place once you’ve read it and followed the instructions. It may help you down the road by serving as proof that your identity was stolen, which is especially important if someone commits a crime with your good name.