U.S. Government HackWhat Happened?

A massive hack infiltrated nearly every U.S. government agency, compromising 4 million current and former federal employees — a number that represents over 95% of the present federal workforce. Announced by government officials on June 4, this data breach could be the largest breach to ever target the U.S. government’s computer networks.

Hackers successfully gained access to Social Security numbers, job assignments, performance rating and training information when they broke into The U.S. Office of Personnel Management’s (OPM) network in December 2014. The OPM is responsible for conducting employee background checks and overseeing security clearances. The attack lasted until its discovery in April.

Immediately following the disclosure, the U.S. government claimed their investigation revealed China-state hackers were responsible for the attack. This is the second hack of OPM in less than a year. China was the primary suspect in both attacks.

China’s motive for their previous attack was to obtain information on employees with top security clearances. This goal could be what’s fueling this attack as well.

While most federal agencies have been impacted by the hack, legislative and judicial branches and uniformed military personnel were not affected.

The Washington Post reports that iSight Partners, a cybersecurity firm, believes it has linked the attack to the same group that hacked health insurance giant Anthem. The Anthem breach exposed personal, financial and medical information of 80 million members earlier this year.

OPM is encouraging employees to be suspicious of unwarranted phone calls, visits or emails. While not explicitly stated, this precaution may signal that detailed contact information was also exposed.

What Should You Do?

Federal employees should be on high alert for phishing emails and phone calls. Given the highly sensitive data that has been exposed, phishing attacks are expected to be on the rise. A hacker could pose as a colleague via email to send malicious links and obtain other sensitive information. Never provide personal or professional information over the phone or via email without extensive background research to verify the request.

Red Flags of a Phishing Scam:

  1. Tone seems uncharacteristic of sender
  2. General greeting that does not use your name
  3. Suspicious email domain name or unrecognizable URLs used in email links
  4. Typos and grammatical errors
  5. High-pressure tone, threats or any request for immediate action

Additional critical actions for potentially impacted individuals:

Monitor your credit and bank accounts to correct any errors promptly.
Obtain your credit report, free from AnnualCreditReport.com, to ensure that all listed accounts belong to you. Criminals may open accounts using your Social Security number and name. Also monitor financial accounts for suspicious activity. Contact your financial institution immediately if you notice any discrepancies in your financial statements.

Prevent fraudulent credit being opened in your name.
By placing a fraud alert on your credit file, a business cannot issue credit in association with your information without first verifying your identity. That means no one could simply walk into a store and get an immediate line of credit. You would receive a letter in the mail first.

Safeguard your computer.
Employees can also protect themselves from cybersecurity threats by installing firewalls and anti-virus software as well as adjusting email filters to more effectively thwart phishing attempts.

Exposed employees will receive a data breach notification from the U.S. government via mail in the coming weeks. This document will contain additional details about steps moving forward. Fighting Identity Crimes will keep you updated as additional details are released.