The US Office of Personnel Management (OPM) has issued a statement confirming that a cybersecurity incident affecting its systems and data may have compromised the personal information of many current and former Federal employees.
OPM became aware of the incident in April 2015 which happened some time ago, although OPM is vague about exactly when it occurred.
OPM states that: “Since the incident was identified, OPM has partnered with the US Department of Homeland Security’s US Computer Emergency Readiness Team (US-CERT), and the Federal Bureau of Investigation to determine the impact to Federal personnel. And OPM immediately implemented additional security measures to protect the sensitive information it manages.”
Beginning June 8th and continuing through June 19th, OPM will be sending notifications to approximately 4 million individuals whose Personally Identifiable Information was potentially compromised in this incident.
The incident raises various questions:
- How long ago did the breach occur and how long have compromised records been in the hands of the attackers?
- If the breach was detected in April 2015 why will it take until June 8th for affected individuals to be informed? The extended delay increases the risk that personal data will be used for the purposes of fraud and identify theft.
- Why has the OPM published details of exactly when emails will be sent to individuals, along with details of the email address that emails will come from (email@example.com) as well as giving information about what the email will contain? This simply gives phishers an open door. Federal employees (along with others caught in the crossfire) will receive multiple phishing emails starting on June 8th purportedly coming from the firstname.lastname@example.org address.