Government Data Breach: What to Do Now

Senior editor, security and privacy
Updated

Credit: Office of Personnel ManagementCredit: Office of Personnel Management

UPDATED Sept. 23, 2015, with additional information about the number of individuals affected, and the types of personally identifiable information stolen.

The government data breach disclosed yesterday (June 4) is, sadly, neither terribly large nor unprecedented, yet those affected should be on their guard for identity theft and should take any free identity protection that they're offered.

To recap, records pertaining to about 4 million current and former government employees were accessed by unauthorized persons at an unknown date before April 2015. The security breach came to light only then, when the federal government's Office of Personnel Management (OPM) began implementing a new intrusion-detection system called EINSTEIN.

It's not clear yet exactly what was stolen or who stole it. Various government officials, most of them speaking anonymously, told major media outlets that hackers operating from China were after personnel records that included Social Security numbers and employment histories. (The Chinese government has denied involvement.) The hackers' motive was presumed to be espionage.

MORE: Best Identity-Theft-Protection Services

"As a result of the incident, OPM will send notifications to approximately 4 million individuals whose PII [personally identifiable information] may have been compromised," the OPM said in a statement yesterday. 

This breach is bad, but it's not even close to making the list of top 10 worst data breaches. It's much smaller than the Anthem and Premera data breaches, two related break-ins at health-insurance companies disclosed earlier this year that together affected about 90 million people, all of whom had their full names, current addresses, dates of birth and Social Security numbers stolen. (Such stolen data was used to in turn steal 100,000 tax returns from the Internal Revenue Service.)

A Dallas-based information-security firm called iSight partners has told The New York Times and The Washington Post that the Anthem and Premera thieves also carried out the OPM intrusion. Neither paper specified what connection, if any, the firm had to this case.

Nor is it clear how the hackers got into the OPM database. The Washington Post, without citing a source, said the intruders used a zero-day exploit, or piece of malware exploiting a previously unknown software flaw. If so, the hackers were after something pretty important, since zero-day exploits are expensive to discover, expensive to buy and can be used only once.

"In order to mitigate the risk of fraud and identity theft, OPM is offering credit report access, credit monitoring and identify-theft insurance and recovery services to potentially affected individuals through CSID, a company that specializes in these services," the OPM statement said. "This comprehensive, 18-month membership includes credit monitoring and $1 million in identity-theft-protection services at no cost to enrollees."

The agency urged affected individuals — which presumably includes anyone who's ever worked for a U.S. government agency, except for military personnel and Congressmen and their staffers — to request a free credit report at AnnualCreditReport.com and to monitor their financial accounts for suspicious activity.

However, those are things that everyone should do, all the time. If you're a current or formal federal employee, here's what you really need to do right now:

Contact one of the three major U.S. credit-reporting agenciesEquifax (1-888-766-0008), Experian (1-888-397-3742) and TransUnion (1-800-680-7289) — and ask that a credit alert be placed on your file. The agency you contact will alert the other two. For the next 90 days, you will be notified every time someone runs a credit review on your or tries to open an account in your name. You can renew the alert every 90 days, indefinitely, for free.

Find out exactly what kind of personal information was stolen: names, addresses, dates of birth, Social Security numbers, and so on. The letter from the OPM ought to tell you, but if it doesn't, raise hell until you get an answer. Only by knowing what you've lost can you properly protect yourself.

Take the free credit-monitoring and identity-protection service offered by the OPM. It can't hurt.

Consider paying for a better credit-monitoring and identity-protection service, at least for the next few months. Such services vary drastically in how they monitor their customers' information, and unfortunately, the ones that are offered for free to victims of data breaches often do the least.

Read our relevant guides: What to Do After a Data Breach, What to Do If You're a Victim of Identity Theft, and What to Do If Your Social Security Number Is Stolen.

UPDATE: In a press statement Sept. 23, 2015, the OPM said that fingerprint records pertaining to 5.6 million individuals had been stolen as part of the data breach. This follows earlier admissions by the OPM that the total number of individuals who had personal information stolen was 21.5 million persons.

Fingerprint records would allow foreign powers to easily identify U.S. intelligence personnel serving overseas under assumed names or in purported diplomatic positions. The fingerprint records would also let foreign intelligence services replicate the fingerprints of U.S. personnel to gain access to devices and facilities protected by fingerprint readers.

Paul Wagenseil is a senior editor at Tom's Guide focused on security and gaming. Follow him at @snd_wagenseilFollow Tom's Guide at @tomsguide, on Facebook and on Google+.