Thanks to two related hacks, sensitive information for nearly everyone who’s worked for—or tried to work for—the federal government since 2000 is in the hands of some distant bad actor. So how are government employees supposed to protect themselves?
If you’re one of them, you can take very little, very cold comfort from this fact: “Your information has already been for sale for several years in the cybercrime underground,” Brian Krebs, founder of Krebs on Security, says. Citing large data breaches against Home Depot, Target, JPMorgan Chase, and other companies with tens of millions of customers’ data on file, University of Maryland University College cyber-security instructor Jeff Tjiputra agrees: “At this point, having your data stolen is normal,” he says.
While most people don’t have to worry about their nude selfies or browser histories coming to life, there is cause to believe that more than your Social Security number is at risk here.
Cyberattacks like the OPM incident aren’t for financial so much as for strategic gain, Krebs says. In this case, adversaries targeted federal employees with background investigations, and stolen information included background interviews and passwords.
“They want to know what your weaknesses are,” Krebs says. Whether it’s knowing your embarrassing habits or your familial and business connections, this information can be used for extortion, and eventually espionage, he says.
“Hackers may try to impersonate OPM,” Tjiputra says. “You don’t want to believe whoever calls you and says because I know your name, date of birth, and Social Security number, you should now give me additional information.”
But even people without security clearances can be hurt by stolen information.
“These days, you don’t have privacy or security unless you’re actively trying to curtail that activity,” Krebs says. “We’re long past the point where people can be passive about digital security.”
That also applies to businesses, including the federal government, which didn’t notice the digital intrusion for over a year.
Business are too focused on compliance—making sure they meet regulations, Krebs says. “They don’t spend nearly enough attention on continuous monitoring of their systems.” Companies should notice if new programs are being installed, who is accessing data, and any unusual activity.
That isn’t the only pitfall organizations make, according to Krebs.
The government was “lacking basic security precautions,” Krebs says, “including two-factor identification for access to sensative info.”
Request a free 90-day fraud alert from one of the three national credit bureaus (Experian, Equifax, and TransUnion). Although business don’t have to adhere to fraud alerts, Krebs says, requesting one will notify companies that you want them to confirm your identity before anyone issues credit in your name.
Krebs suggests contacting credit bureaus to freeze your credit altogether. (He gives more detailed instructions here.) Those orders are relatively easy to issue and remove, and absolutely no moves can be made while a freeze is in place.
Here are three more tips from Krebs on protecting your own computer, documents, and passwords:
“If you didn’t go looking for it, don’t install it.” Decline invitations from pop-up windows to download software you weren’t searching for.
“If you installed it, update it.” Software updates include protections against new malware and hacking trends, so even though it might take 15 minutes and require a restart, update weekly.
“If you don’t need it anymore, get rid of it.” Keeping old programs in your computer not only ties up space, but it’s one more thing you must regularly update. Save yourself the trouble.
Don’t Miss Another Big Story—Get Our Weekend Newsletter
Our most popular stories of the week, sent every Saturday.
Benjamin Freed joined Washingtonian in August 2013 and covers politics, business, and media. He was previously the editor of DCist and has also written for Washington City Paper, the New York Times, the New Republic, Slate, and BuzzFeed. He lives in Adams Morgan.
We engage readers directly in their mailboxes with topics like Health, Things to Do, Best Brunches, Design & Shopping, and Real Estate. Get the latest from our editors today.
Okay, You’ve Been Hacked. Now What?
Next steps for anyone affected by the OPM mess.
Thanks to two related hacks, sensitive information for nearly everyone who’s worked for—or tried to work for—the federal government since 2000 is in the hands of some distant bad actor. So how are government employees supposed to protect themselves?
If you’re one of them, you can take very little, very cold comfort from this fact: “Your information has already been for sale for several years in the cybercrime underground,” Brian Krebs, founder of Krebs on Security, says. Citing large data breaches against Home Depot, Target, JPMorgan Chase, and other companies with tens of millions of customers’ data on file, University of Maryland University College cyber-security instructor Jeff Tjiputra agrees: “At this point, having your data stolen is normal,” he says.
While most people don’t have to worry about their nude selfies or browser histories coming to life, there is cause to believe that more than your Social Security number is at risk here.
Cyberattacks like the OPM incident aren’t for financial so much as for strategic gain, Krebs says. In this case, adversaries targeted federal employees with background investigations, and stolen information included background interviews and passwords.
“They want to know what your weaknesses are,” Krebs says. Whether it’s knowing your embarrassing habits or your familial and business connections, this information can be used for extortion, and eventually espionage, he says.
“Hackers may try to impersonate OPM,” Tjiputra says. “You don’t want to believe whoever calls you and says because I know your name, date of birth, and Social Security number, you should now give me additional information.”
But even people without security clearances can be hurt by stolen information.
“These days, you don’t have privacy or security unless you’re actively trying to curtail that activity,” Krebs says. “We’re long past the point where people can be passive about digital security.”
That also applies to businesses, including the federal government, which didn’t notice the digital intrusion for over a year.
Business are too focused on compliance—making sure they meet regulations, Krebs says. “They don’t spend nearly enough attention on continuous monitoring of their systems.” Companies should notice if new programs are being installed, who is accessing data, and any unusual activity.
That isn’t the only pitfall organizations make, according to Krebs.
The government was “lacking basic security precautions,” Krebs says, “including two-factor identification for access to sensative info.”
OPM has proposed offering a free credit-monitoring service. Use it, Tjiputra says. You should also request a free copy of your credit report at annualcreditreport.com
Request a free 90-day fraud alert from one of the three national credit bureaus (Experian, Equifax, and TransUnion). Although business don’t have to adhere to fraud alerts, Krebs says, requesting one will notify companies that you want them to confirm your identity before anyone issues credit in your name.
Krebs suggests contacting credit bureaus to freeze your credit altogether. (He gives more detailed instructions here.) Those orders are relatively easy to issue and remove, and absolutely no moves can be made while a freeze is in place.
Here are three more tips from Krebs on protecting your own computer, documents, and passwords:
Don’t Miss Another Big Story—Get Our Weekend Newsletter
Our most popular stories of the week, sent every Saturday.
Benjamin Freed joined Washingtonian in August 2013 and covers politics, business, and media. He was previously the editor of DCist and has also written for Washington City Paper, the New York Times, the New Republic, Slate, and BuzzFeed. He lives in Adams Morgan.
Most Popular in News & Politics
The Best Reactions to the Jeffrey Toobin “Zoom Dick” Incident
He’s 32. He’s Joe Biden’s Press Secretary. And He Has Stage 4 Cancer.
DC’s New Covid-Tracing Smartphone Tool Is Going Live This Week
Freaked Out by the Low-Flying Helicopters Around DC? Don’t Worry!
Poll: Trump Is on Pace to More Than Double His DC Support in the 2020 Election
Washingtonian Magazine
October 2020: Heroes of the Crisis
View IssueSubscribe
Get Us on Social
Get Us on Social
Related
Video From Fall Real Estate Market Update With Local Leaders
Washingtonian Real Estate Virtual Happy Hour
Videos from Washingtonian’s Wellness Day
Washingtonian Wellness Day
More from News & Politics
Ice Skating at the Sculpture Garden Is Canceled This Year Because, Well, 2020
“The Bachelorette” Keeps Arlington Contestant Jason for at Least Another Week. Whew!
Ben Tolkan, Subject of 2016 Washingtonian Feature, Has Died at 37
AOC Broke Gamer Internet by Streaming on Twitch Last Night. But She’s Not the Only Political Gamer Out There.
Planet Word Opens This Week. Here’s a Look Inside the High-Tech Language Museum.
Punch Bowl Social Won’t Offer Karaoke in Arlington—but It Will Have Happy Hour
The DC Area’s Top Economic Researcher Is Predicting a Big Recovery—in 2022
The Trump Hotel Is Selling Masks