12 June 2015

The OPM breach was really, really bad. The OPM response is really, really bad.

The breach was apparently discovered sometime last year (!) when a vendor was doing a product demo on the production network. The idea that a vendor was doing a sales presentation on their production network is terrifying. Nothing to see here!

So far, we're hearing that at least 4 million (but potentially as many as 14 million?!) government employees were affected. Also, not much mention of government contractors, although the second link above speculates on that (OPM says: "No contractors were affected unless they previously held Federal civilian positions."). I'm not comfortable with their confidence, so still waiting for that shoe to drop. I personally haven't heard a peep from Booz Allen. I expect we'll hear more about this soon.

After the breach, OPM contracted with an identity theft company called CSID to provide ID theft protection for all affected government employees. Then, CSID sent the employees a shady looking email from csid.com and as of today, many people still think the email is a phishing attempt. Users were told to delete any email claiming to notify them of the breach. At the same time, OPM published on its website for employees to expect the email from csid.com, and the FTC claims the emails are legit. You can't make this shit up.

Here is Teri Centner's blog post which nicely summarizes the issue.

Here is the announcement from OPM telling users to expect an email from opmcio@csid.com.

Here is the FTC page authenticating the CSID emails.

Post a Comment