The biggest federal hack in American history took place in June, with millions of civil servants notified on Friday, June 12, that their data had potentially been breached. They were urged to take measures in order to protect their identity, and to “be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about you, your employees, your colleagues or any other internal information.” Additional tips include checking credit card statements, bank accounts and to begin monitoring their credit report for signs of identity theft. However, identity theft can sometimes take weeks or months to show up on something as “late blooming” as a credit report. These millions of federal employees and retirees likely have months of poring over statements ahead of them.
Agencies and offices around the country were frazzled at the end of the week, confused about next steps and worried about what kind of information the hackers actually stole. According to the Office of Personnel Management (OPM), even as the news broke this was by far the biggest hack in existence in the US—but it might be bigger than anyone knows. The FBI has teamed up with OPM and other government agencies to figure out exactly how expansive this hack is. It’s possible that many additional federal employees and former employees were also compromised.
Some employees have spoken to the press, such as Matthew Palmer who no longer works at the State Department. He didn’t get that email notifying him of the breach, but heard about it from a friend who still works at the agency. “Change every password ever created,” was the advice Palmer received. He says, “I basically vacillate between being really panicked and being really angry at the government that this information was not secured in some better way. Who is in danger? I listed friends on those forms and my family members…are some hackers going to start going after them?” Like Palmer, millions of people have noted that it was like a panic button was set off when that email arrived.
Palmer says, “They (the government) are basically telling us to be suspicious of everything and just keep checking to see if someone steals our identity.” However, he notes that’s a horrible plan. The email spelled out how the OPM will continue with notifications once they figure out which employees were actually hacked, as well as tips on verifying information that employees may receive to ensure it’s not a hacker’s scam. However, those are basic tips that anyone and everyone should already be following. It does little to explain and even less to tell employees how the breach occurred.
Classic Scams Gone Overboard
The email explains that classic phishing attacks may be used, fake URLs and virus-riddled attachments in emails. Palmer, as an ex-employee, felt comfortable talking to the media about what kind of information the government really gets from new employees. “Hundreds of pages” are gathered where employees detail everything about themselves, like “who you are sleeping with,” says Palmer. Employees must answer a 117-page document detailing private matters. Some employees, such as those stationed in the Middle East, are worried that their personal life (such as being gay and married) will be made public in an environment where it may be hostile.
According to the American Federation of Government Employees (AFGE), it’s assumed that the Central Personnel Data File was breached and hackers now have all the records of every possible current and former employee. Their social security numbers, pay history, insurance, data and bank information (for items such as direct deposit) may all be compromised. President of the AFGE, J. David Cox, says, “These people (the hackers) are smart enough to hack into (OPMs) systems, they’re smart enough to wait 18 months before exploiting the information they took.”