[BreachExchange] Reasons to Be Fearful: Fed Workers Warned of Future OPM Hacking Threat

[Audrey McNeil]

http://thechiefleader.com/reasons-to-be-fearful-fed-
workers-warned-of-future-opm/article_ab363ff2-ade7-11e6-
9e71-47f6a4cec087.html

The 2015 hacking of the Federal Government’s Office of Personnel
Management, which put the personal data for millions of current and former
Federal employees at risk, may be out of the headlines but is still a cause
for anxiety for the victims, according to union lawyers who represent them.

“In addition to the sweeping breaches that have already occurred, there is
a real threat that OPM’s systems will be breached again,” said Paras N.
Shah, assistant counsel for the National Treasury Employees Union. “For
nearly a decade leading up to the breaches announced in June 2015, OPM
ignored urgent warnings of its own Inspector General concerning its
deficient IT security. And in a report issued five months after the
breaches were announced, the IG continued to warn that its information
systems were still vulnerable to further attack.”

A Further Regression

On Nov. 18 the Inspector General overseeing OPM issued an updated audit
which found the agency still had “material weakness” in its systems. In
fact, the IG found OPM was losing ground, with “significant regression” in
complying with the requirements of the Federal Information Security
Modernization Act that “it had successfully met in prior years.” The IG
cited “an extremely high turnover rate of critical positions.”

In court papers filed by NTEU’s legal team back in June, the union
identified several instances where its members had experienced major
repercussions believed to be the result of the 2015 hacking. It described
how Eugene Gambardella, a Senior Import Specialist with Customs and Border
Protection who lives in New Jersey and works in New York metro region,
attempted to file his income-tax return for 2015 electronically in February
of 2016 but was told by the IRS that it had already received his return.

According to the suit, Mr. Gambardella “spent time and resources” to work
out the issue with the IRS due to the previous fraudulent filing. Yet,
ironically he had to file a paper return to get his $7,000 refund check six
months later.

Mind-Boggling Scale

In June 2015 OPM publicly disclosed that the personnel data, including
Social Security numbers, dates of birth and addresses, for 4.2 million
current and former Federal employees had been hacked. In addition, more
than 18 million individuals who had submitted personnel data as part of a
standard background check or to get a security clearance were also hit.
Copies of fingerprints of 5.6-million people were also stolen.

Roughly 5,200 NTEU members live in the New York City metro area. In
addition there are several thousand members of the American Federation of
Government Employees who live in the region who were affected by the
breach. Of particular concern to the active-duty and retired
law-enforcement community is that the bulk of the hacked files belonged to
applicants for national-security clearances going back decades.

“OPM’s monumental and inexcusable blunder has placed the lives of an
unknown number of Federal law enforcement officers (LEOs) and their
families in jeopardy,” wrote Jon Adler, president of the Federal Law
Enforcement Officers Association back last year when the breach was
disclosed. “Their failure to secure personally identifiable information has
left these affected officers vulnerable to attacks and retaliation from
criminals and terrorists currently or formerly investigated by the United
States.”

Credit-Monitoring to End

In the aftermath of the catastrophic hack, OPM offered free credit
monitoring and identity protection. The contract for the company initially
hired by OPM to handle credit-monitoring services for about 600,000 of the
Federal employees involved is expiring on Dec. 1. Federal employees need to
re-apply with the new credit-monitoring company, ID Experts, that is taking
over as the benefits provider.

That firm is currently providing services for the 21.5 million current and
former employees, retirees, and job applicants whose information was
exposed in the larger breach of background investigations data maintained
by OPM.

The first red flags from the OPM’s Inspector General on the agency’s lack
of cyber security and poor data management came in 2005 and remained a
consistent point of concern for the watchdog agency for the next decade. By
2014 the IG was describing the state of affairs as a “significant
deficiency.”

Even as late as this September the House Committee on Oversight and
Government Reform said in a report that “questions remain as to the state
and utility of OPM’s new information and technology infrastructure.” The
report, entitled “The OPM Data Breach; How the Government Jeopardized Our
National Security For A Generation,” found that OPM “failed to announce a
2014 breach and claimed the 2014 and 2015 incidents were not connected when
in fact they were according to House investigators.

Not Just ‘Social’ Numbers

What the hackers got access to was the information contained in Standard
Form SF-86, which all applicants for Department of Defense or Intelligence
Community back­ground checks have to fill out for potential employment or
contract work.

In addition to personal information like Social Security numbers, places of
residence going back 10 years, and the names and addresses of relatives,
the form attempts to identify potential vulnerabilities in the applicant’s
background that could be used to blackmail them into betraying their
country.

It requires that applicants disclose if they consulted a health-care
professional regarding their emotional or mental state, if they used
illegal drugs or controlled substances, if they abused alcohol to the point
it affected their family or professional life, and if they had financial
problems due to gambling.

“Due to the data breach at OPM, adversaries are in possession of some of
the most intimate and embarrassing details of the lives of individuals who
our country trusts to protect our national security and its secrets,”
concluded the report from House Committee on Oversight and Government Reform

Unions’ Separate Strategies

Both NTEU and AFGE are suing OPM over the data breach on behalf of their
rank-and-file membership but the two unions are pursuing different legal
strategies. Both cases are pending in Federal District Court in Washington,
D.C. before Judge Amy Berman Jackson. OPM has moved to have both cases
dismissed. A ruling is expected sometime after the holidays, according to
Dan Girard, the outside counsel representing AFGE.

A call to OPM and email from this newspaper got no response.

Mr. Girard said that in AFGE’s action the plaintiffs are suing OPM but also
going after KeyPoint, the Colorado-based contractor involved with the
Federal agen­cy’s data protection. “We are seeking punitive damages for our
clients that have already had to expend money out of their own pocket for
identity protection and for those who have already been victimized by
identity theft,” Mr. Girard said.

Mr. Girard said that in addition to surviving OPM’s dismissal motion, his
clients still have to secure certification as a class to move forward.

Seek Lifetime Protection

NTEU’s litigation does not look for monetary punitive damages from the
government but seeks “lifetime credit-monitoring and identity-theft
protection for our members who were affected by the breaches,” Mr. Shah
said. “We also are looking for a court order requiring OPM to take
immediately all necessary and appropriate steps to correct deficiencies in
its IT security program, so that NTEU members’ personal information will be
adequately protected going forward.”

He added that the union also wants an order “prohibiting OPM from requiring
the submission of NTEU members’ personal information in an electronic form
until the court is satisfied that OPM has taken all necessary and
appropriate steps to safeguard NTEU members’ personal information.”

“As a condition of their employment, our members had to turn over
inherently personal material to the government, which the government
promised to keep confidential,” Mr. Shah said. “When OPM disregarded the
urgent warnings of its Inspector General and chose not to adequately secure
the deeply personal information that it had promised to protect, leading to
the breaches announced last year, it violated our members’ constitutional
right to informational privacy.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161121/5931200d/attachment.html>