Thanks to two related hacks, sensitive information for nearly everyone who’s worked for—or tried to work for—the federal government since 2000 is in the hands of some distant bad actor. So how are government employees supposed to protect themselves?
If you’re one of them, you can take very little, very cold comfort from this fact: “Your information has already been for sale for several years in the cybercrime underground,” Brian Krebs, founder of Krebs on Security, says. Citing large data breaches against Home Depot, Target, JPMorgan Chase, and other companies with tens of millions of customers’ data on file, University of Maryland University College cyber-security instructor Jeff Tjiputra agrees: “At this point, having your data stolen is normal,” he says.
While most people don’t have to worry about their nude selfies or browser histories coming to life, there is cause to believe that more than your Social Security number is at risk here.
Cyberattacks like the OPM incident aren’t for financial so much as for strategic gain, Krebs says. In this case, adversaries targeted federal employees with background investigations, and stolen information included background interviews and passwords.
“They want to know what your weaknesses are,” Krebs says. Whether it’s knowing your embarrassing habits or your familial and business connections, this information can be used for extortion, and eventually espionage, he says.
“Hackers may try to impersonate OPM,” Tjiputra says. “You don’t want to believe whoever calls you and says because I know your name, date of birth, and Social Security number, you should now give me additional information.”
But even people without security clearances can be hurt by stolen information.
“These days, you don’t have privacy or security unless you’re actively trying to curtail that activity,” Krebs says. “We’re long past the point where people can be passive about digital security.”
That also applies to businesses, including the federal government, which didn’t notice the digital intrusion for over a year.
Business are too focused on compliance—making sure they meet regulations, Krebs says. “They don’t spend nearly enough attention on continuous monitoring of their systems.” Companies should notice if new programs are being installed, who is accessing data, and any unusual activity.
That isn’t the only pitfall organizations make, according to Krebs.
The government was “lacking basic security precautions,” Krebs says, “including two-factor identification for access to sensative info.”
Request a free 90-day fraud alert from one of the three national credit bureaus (Experian, Equifax, and TransUnion). Although business don’t have to adhere to fraud alerts, Krebs says, requesting one will notify companies that you want them to confirm your identity before anyone issues credit in your name.
Krebs suggests contacting credit bureaus to freeze your credit altogether. (He gives more detailed instructions here.) Those orders are relatively easy to issue and remove, and absolutely no moves can be made while a freeze is in place.
Here are three more tips from Krebs on protecting your own computer, documents, and passwords:
“If you didn’t go looking for it, don’t install it.” Decline invitations from pop-up windows to download software you weren’t searching for.
“If you installed it, update it.” Software updates include protections against new malware and hacking trends, so even though it might take 15 minutes and require a restart, update weekly.
“If you don’t need it anymore, get rid of it.” Keeping old programs in your computer not only ties up space, but it’s one more thing you must regularly update. Save yourself the trouble.
Benjamin Freed joined Washingtonian in August 2013 and covers politics, business, and media. He was previously the editor of DCist and has also written for Washington City Paper, the New York Times, the New Republic, Slate, and BuzzFeed. He lives in Adams Morgan.
Okay, You’ve Been Hacked. Now What?
Thanks to two related hacks, sensitive information for nearly everyone who’s worked for—or tried to work for—the federal government since 2000 is in the hands of some distant bad actor. So how are government employees supposed to protect themselves?
If you’re one of them, you can take very little, very cold comfort from this fact: “Your information has already been for sale for several years in the cybercrime underground,” Brian Krebs, founder of Krebs on Security, says. Citing large data breaches against Home Depot, Target, JPMorgan Chase, and other companies with tens of millions of customers’ data on file, University of Maryland University College cyber-security instructor Jeff Tjiputra agrees: “At this point, having your data stolen is normal,” he says.
While most people don’t have to worry about their nude selfies or browser histories coming to life, there is cause to believe that more than your Social Security number is at risk here.
Cyberattacks like the OPM incident aren’t for financial so much as for strategic gain, Krebs says. In this case, adversaries targeted federal employees with background investigations, and stolen information included background interviews and passwords.
“They want to know what your weaknesses are,” Krebs says. Whether it’s knowing your embarrassing habits or your familial and business connections, this information can be used for extortion, and eventually espionage, he says.
“Hackers may try to impersonate OPM,” Tjiputra says. “You don’t want to believe whoever calls you and says because I know your name, date of birth, and Social Security number, you should now give me additional information.”
But even people without security clearances can be hurt by stolen information.
“These days, you don’t have privacy or security unless you’re actively trying to curtail that activity,” Krebs says. “We’re long past the point where people can be passive about digital security.”
That also applies to businesses, including the federal government, which didn’t notice the digital intrusion for over a year.
Business are too focused on compliance—making sure they meet regulations, Krebs says. “They don’t spend nearly enough attention on continuous monitoring of their systems.” Companies should notice if new programs are being installed, who is accessing data, and any unusual activity.
That isn’t the only pitfall organizations make, according to Krebs.
The government was “lacking basic security precautions,” Krebs says, “including two-factor identification for access to sensative info.”
OPM has proposed offering a free credit-monitoring service. Use it, Tjiputra says. You should also request a free copy of your credit report at annualcreditreport.com
Request a free 90-day fraud alert from one of the three national credit bureaus (Experian, Equifax, and TransUnion). Although business don’t have to adhere to fraud alerts, Krebs says, requesting one will notify companies that you want them to confirm your identity before anyone issues credit in your name.
Krebs suggests contacting credit bureaus to freeze your credit altogether. (He gives more detailed instructions here.) Those orders are relatively easy to issue and remove, and absolutely no moves can be made while a freeze is in place.
Here are three more tips from Krebs on protecting your own computer, documents, and passwords:
Benjamin Freed joined Washingtonian in August 2013 and covers politics, business, and media. He was previously the editor of DCist and has also written for Washington City Paper, the New York Times, the New Republic, Slate, and BuzzFeed. He lives in Adams Morgan.
Editors' Picks
The 100 Very Best Restaurants in Washington
Bad News for the NFL: John Riggins’ Wife Is a Lawyer
The High-Paid DC Millennials Who Are Using Side Hustles to “Ball Out”
Meet Britt McHenry, the Fox News Star for Millennials
Most Popular in News
Washingtonians Are the Third-Worst Drivers in Rain and Snow in the US
“The Handmaid’s Tale” Is Filming on the National Mall and the Photos are Kinda Intense
What These 2020 Candidates’ DC Neighborhoods Tell Us About Them
The Tommy Show Is Back
How Five Ambassadors From Cold Countries Get Through Winter in DC
February 2019: 100 Very Best Restaurants
Related
A Look Inside One of the Country’s Biggest Vinyl Record Plants
What We Lost When We Lost Hank Dietle’s
WJLA’s TV Legends Are Vanishing. Does It Matter?
In Defense of 2016
More from News
Washingtonian Today: Extra Spicy!
4 Summer Camps That Turn DC into One Big Playground
What These 2020 Candidates’ DC Neighborhoods Tell Us About Them
DC Has a New Esports Team and Its Inaugural Watch Party Was Bonkers
José Andrés Will Present at the Oscars
Remembering DC Music Legend Skip Groff
Q107’s Uncle Johnny Talks About WRQX Getting Sold and the Glory Days of DC Top 40 Radio
Washingtonian Today: Snow News Day