(Updated) Security Bulletin: The OPM Hack & You

By now you should have heard about the massive data breach at the Office of Personnel Management, the government agency responsible for managing the personal records of every federal employee and member of the intelligence community. The most damning record comes to us in the form of the SF-86, a record that contains enough personally identifiable information to steal the identity of not only the professional obtaining the security clearance, but literally everyone they love.

This revelation is particularly sobering when it comes on the wake of a similarly damning bit of data mining:  Looking Glass.  The unfortunate realization that our security managers were right - be careful what you put on the internet - comes a little too late.  And, unfortunately, as both the OPM hack and the web crawler Looking Glass prove, you can be victimized even if you do everything right.

So, if you're a first cousin, or a spouse of a veteran, then everything necessary to end up with your identity stolen (your last known address, or two, your employer, your birth day, SSN, maiden names) is probably included in this data.  However, the amount of data leaked here is so massive that, unless you're named by a filtering program (like Looking Glass - or you post photos of your Mercedes on Twitter), you're probably not going to show up on any criminal's (or foreign government) radar.

For your average American, you might be included in this breach by name (e.g. "Airmen Johnny has coffee with Dr. Snuffy regularly"), but beyond your name you're probably without worry.


update: 16 june, 2015


From the CSID website:  $1,000,000 in identity theft protection services to be offered to those affected; notifications will be sent by e-mail or postal service by 19 June, 2015. SF-86s probably not compromised: "Your [family member] was not affected by this breach. The only data potentially exposed as a result of this incident is your personal data."

Furthermore, this incident did not affect military records; no contractors were affected unless they previously held Federal civilian positions. The incident affected current and former Federal civilian personnel, including Department of Defense civilian employees.

Unfortunately, there is a spearfishing campaign going on sending fictitious e-mails to DOD personnel. US Army CID states a phishing email is being sent to DOD personnel asking them to click on hyperlinks and enter a personal PIN number to verify their personal Information.

The Office of Personnel Management has issued a warning to its users to avoid clicking on links in e-mails, giving out personal information over the internet, or communicating with individuals of an unverified nature.