Was it 4 million, 14 million or 18 million records breached (likely by state-sponsored) Chinese hackers?
Whose fault was it? Incredibly, the USOPM director Katherine Archuleta says "I don't believe anyone (at OPM) is personally responsible." Really? Perhaps the worst data breach ever raises lots of questions, but I haven't heard any good answers from the Feds. For sobering answers, instead read "Why the OPM Data Breach is Unlike Any Other" by expert Nuala O'Connor of the Center for Democracy and Technology.
Federal employees, their families, their friends and their neighbors -- because all of them could be victims -- deserve much better answers, just as they deserve better service than USOPM's credit monitoring provider is giving them. Congress is demanding those answers. Great. It should keep its focus on these sorts of hearings, rather than looking at passing some terrible breach notice bill that preempts better state laws.
MYTH: It's Not Our Fault: "If there is anyone to blame, it is the perpetrators," OPM Director Katherine Archuleta" told Congress at a Senate Appropriations Committee hearing this week. "I don't believe anyone (at OPM) is personally responsible." (USA Today).
REALITY: Actually, It Is: Meanwhile, in his own testimony to the committee, Assistant Inspector General Michael Esser blamed OPM's "long history of systemic failures to properly manage its IT infrastructure" (going back to at least FY2007) for the problems, which range from "lack of planning" to a failure to "shut down" a variety of systems in violation despite hosting "among the most critical and sensitive applications owned by the agency."
MYTH: You Can Count On Credit Monitoring: As I often point out, free credit monitoring for a limited time is the sop offered by virtually every breached entity to every victim, but the security freeze is better. Keep in mind that besides credit monitoring's inherent flaws and limits, as far as I know they've only offered it to federal employee victims and their spouses/partners, but not to all the references --friends, neighbors -- who were interviewed for the victim's security clearance and whose information may have also been breached. While information collected on these persons may not be as detailed, it is certainly enough to make them potential victims of phishing and social engineering scams.
REALITY: Not Only Is Credit Monitoring Inadequate, the Government's Contractor Is Doing A Bad Job: Senator Mark Warner (VA) has been very critical of credit monitoring vendor CSID and its subcontractors. As the Washington Post explains, "Looking for help after the federal employee hack? Prepare to spend a few hours on hold." The Post quotes Senator Warner:
“Information has come to light that raises questions about OPM’s awarding of this $20 million contract to CSID, and whether CSID has the expertise and capacity to provide the services for which it was contracted,” Warner said in a letter sent Friday [to Archuleta]."
Meanwhile, over at her CDT blog, Nuala O'Connor explains "Why the OPM Data Breach is Unlike Any Other:" Some excerpts:
"The scope of the recent hack of the Office of Personnel Management (OPM), in which the records of millions of current and former federal employees were breached, is exponentially greater than the many other recent headline-generating breaches in the private sector. This breach not only impacts government employees but countless of their partners, associates, and confidantes, and the stolen information includes some of the most intimate personal details about the individuals affected. [...]
She goes on to explain that the government has failed to follow common-sense data management best-practices:
"As critical as encryption is to cybersecurity, it would not have stopped the OPM breach – but data-retention limits might have mitigated the extent of it. The agency reportedly was holding data on individuals from as far back as 1985. Further, government agencies are not following the very same level of rigor of the security guidelines and practices often applied by other government agencies and commissions to the private sector. [...]"
Finally, she echoes one of our own greatest concerns: Instead of narrowing the scope of consumer harms that are actionable in privacy breaches, as nearly very breach notice proposal before Congress would, we need to recognize a broader panoply of harms:
"Beyond this, a breach of this magnitude should call into question how we define harm and the types of remediation available to individuals. Credit monitoring and identity-theft resources may have little utility for those whose data was breached, especially when the information that was taken goes beyond credit card numbers and into detailed dossiers of about individuals. How does one put the cat back in the bag when the records breached contain information such as past drug use, lie-detector tests you failed, or extramarital affairs?"
Our recent data breach testimony to Congress is here. Our group letter opposing weak federal data breach and data security proposals is here. Our recent blog offering tips to victims of any breach -- including information on the security freeze -- is here.