Thanks to two related hacks, sensitive information for nearly everyone who’s worked for—or tried to work for—the federal government since 2000 is in the hands of some distant bad actor. So how are government employees supposed to protect themselves?
If you’re one of them, you can take very little, very cold comfort from this fact: “Your information has already been for sale for several years in the cybercrime underground,” Brian Krebs, founder of Krebs on Security, says. Citing large data breaches against Home Depot, Target, JPMorgan Chase, and other companies with tens of millions of customers’ data on file, University of Maryland University College cyber-security instructor Jeff Tjiputra agrees: “At this point, having your data stolen is normal,” he says.
While most people don’t have to worry about their nude selfies or browser histories coming to life, there is cause to believe that more than your Social Security number is at risk here.
Cyberattacks like the OPM incident aren’t for financial so much as for strategic gain, Krebs says. In this case, adversaries targeted federal employees with background investigations, and stolen information included background interviews and passwords.
“They want to know what your weaknesses are,” Krebs says. Whether it’s knowing your embarrassing habits or your familial and business connections, this information can be used for extortion, and eventually espionage, he says.
“Hackers may try to impersonate OPM,” Tjiputra says. “You don’t want to believe whoever calls you and says because I know your name, date of birth, and Social Security number, you should now give me additional information.”
But even people without security clearances can be hurt by stolen information.
“These days, you don’t have privacy or security unless you’re actively trying to curtail that activity,” Krebs says. “We’re long past the point where people can be passive about digital security.”
That also applies to businesses, including the federal government, which didn’t notice the digital intrusion for over a year.
Business are too focused on compliance—making sure they meet regulations, Krebs says. “They don’t spend nearly enough attention on continuous monitoring of their systems.” Companies should notice if new programs are being installed, who is accessing data, and any unusual activity.
That isn’t the only pitfall organizations make, according to Krebs.
The government was “lacking basic security precautions,” Krebs says, “including two-factor identification for access to sensative info.”
Request a free 90-day fraud alert from one of the three national credit bureaus (Experian, Equifax, and TransUnion). Although business don’t have to adhere to fraud alerts, Krebs says, requesting one will notify companies that you want them to confirm your identity before anyone issues credit in your name.
Krebs suggests contacting credit bureaus to freeze your credit altogether. (He gives more detailed instructions here.) Those orders are relatively easy to issue and remove, and absolutely no moves can be made while a freeze is in place.
Here are three more tips from Krebs on protecting your own computer, documents, and passwords:
“If you didn’t go looking for it, don’t install it.” Decline invitations from pop-up windows to download software you weren’t searching for.
“If you installed it, update it.” Software updates include protections against new malware and hacking trends, so even though it might take 15 minutes and require a restart, update weekly.
“If you don’t need it anymore, get rid of it.” Keeping old programs in your computer not only ties up space, but it’s one more thing you must regularly update. Save yourself the trouble.
Benjamin Freed joined Washingtonian in August 2013 and covers politics, business, and media. He was previously the editor of DCist and has also written for Washington City Paper, the New York Times, the New Republic, Slate, and BuzzFeed. He lives in Adams Morgan.
Okay, You’ve Been Hacked. Now What?
Thanks to two related hacks, sensitive information for nearly everyone who’s worked for—or tried to work for—the federal government since 2000 is in the hands of some distant bad actor. So how are government employees supposed to protect themselves?
If you’re one of them, you can take very little, very cold comfort from this fact: “Your information has already been for sale for several years in the cybercrime underground,” Brian Krebs, founder of Krebs on Security, says. Citing large data breaches against Home Depot, Target, JPMorgan Chase, and other companies with tens of millions of customers’ data on file, University of Maryland University College cyber-security instructor Jeff Tjiputra agrees: “At this point, having your data stolen is normal,” he says.
While most people don’t have to worry about their nude selfies or browser histories coming to life, there is cause to believe that more than your Social Security number is at risk here.
Cyberattacks like the OPM incident aren’t for financial so much as for strategic gain, Krebs says. In this case, adversaries targeted federal employees with background investigations, and stolen information included background interviews and passwords.
“They want to know what your weaknesses are,” Krebs says. Whether it’s knowing your embarrassing habits or your familial and business connections, this information can be used for extortion, and eventually espionage, he says.
“Hackers may try to impersonate OPM,” Tjiputra says. “You don’t want to believe whoever calls you and says because I know your name, date of birth, and Social Security number, you should now give me additional information.”
But even people without security clearances can be hurt by stolen information.
“These days, you don’t have privacy or security unless you’re actively trying to curtail that activity,” Krebs says. “We’re long past the point where people can be passive about digital security.”
That also applies to businesses, including the federal government, which didn’t notice the digital intrusion for over a year.
Business are too focused on compliance—making sure they meet regulations, Krebs says. “They don’t spend nearly enough attention on continuous monitoring of their systems.” Companies should notice if new programs are being installed, who is accessing data, and any unusual activity.
That isn’t the only pitfall organizations make, according to Krebs.
The government was “lacking basic security precautions,” Krebs says, “including two-factor identification for access to sensative info.”
OPM has proposed offering a free credit-monitoring service. Use it, Tjiputra says. You should also request a free copy of your credit report at annualcreditreport.com
Request a free 90-day fraud alert from one of the three national credit bureaus (Experian, Equifax, and TransUnion). Although business don’t have to adhere to fraud alerts, Krebs says, requesting one will notify companies that you want them to confirm your identity before anyone issues credit in your name.
Krebs suggests contacting credit bureaus to freeze your credit altogether. (He gives more detailed instructions here.) Those orders are relatively easy to issue and remove, and absolutely no moves can be made while a freeze is in place.
Here are three more tips from Krebs on protecting your own computer, documents, and passwords:
Benjamin Freed joined Washingtonian in August 2013 and covers politics, business, and media. He was previously the editor of DCist and has also written for Washington City Paper, the New York Times, the New Republic, Slate, and BuzzFeed. He lives in Adams Morgan.
Editors' Picks
Is DC Being Too Mean to Louise Linton?
Which Washington-Area Neighborhoods Will Boom Next?
Why This Is the Golden Age of DC Grocery Shopping
The Ultimate Guide to DC’s Cherry Blossoms
Most Popular
The 100 Very Best Restaurants in Washington
How I Got This Body: She Went from 160 Pounds to 143 in Just Five Months by Doing Crossfit, Two-a-Days, and Splurging on Pizza
Things to Do in DC This Weekend (April 19-22): Record Store Day, Filmfest DC, and the National Cannabis Festival
Which Washington-Area Neighborhoods Will Boom Next?
May 2018: Jeff Bezos in D.C.
Subscribe
Related Posts
What We Lost When We Lost Hank Dietle’s
WJLA’s TV Legends Are Vanishing. Does It Matter?
In Defense of 2016
There Are Still Six Confederate Memorials Around DC. How’s That Possible?
More from News
What You Can and Can’t Bring onto the Floor in Congress
Are Those Electric Scooters Actually Allowed on the Sidewalk? Here Are the Rules
Scott Pruitt Is the Most Baller Trump Appointee
Farewell to The Hill’s Gloriously Ridiculous “50 Most Beautiful” List