Thanks to two related hacks, sensitive information for nearly everyone who’s worked for—or tried to work for—the federal government since 2000 is in the hands of some distant bad actor. So how are government employees supposed to protect themselves?
If you’re one of them, you can take very little, very cold comfort from this fact: “Your information has already been for sale for several years in the cybercrime underground,” Brian Krebs, founder of Krebs on Security, says. Citing large data breaches against Home Depot, Target, JPMorgan Chase, and other companies with tens of millions of customers’ data on file, University of Maryland University College cyber-security instructor Jeff Tjiputra agrees: “At this point, having your data stolen is normal,” he says.
While most people don’t have to worry about their nude selfies or browser histories coming to life, there is cause to believe that more than your Social Security number is at risk here.
Cyberattacks like the OPM incident aren’t for financial so much as for strategic gain, Krebs says. In this case, adversaries targeted federal employees with background investigations, and stolen information included background interviews and passwords.
“They want to know what your weaknesses are,” Krebs says. Whether it’s knowing your embarrassing habits or your familial and business connections, this information can be used for extortion, and eventually espionage, he says.
“Hackers may try to impersonate OPM,” Tjiputra says. “You don’t want to believe whoever calls you and says because I know your name, date of birth, and Social Security number, you should now give me additional information.”
But even people without security clearances can be hurt by stolen information.
“These days, you don’t have privacy or security unless you’re actively trying to curtail that activity,” Krebs says. “We’re long past the point where people can be passive about digital security.”
That also applies to businesses, including the federal government, which didn’t notice the digital intrusion for over a year.
Business are too focused on compliance—making sure they meet regulations, Krebs says. “They don’t spend nearly enough attention on continuous monitoring of their systems.” Companies should notice if new programs are being installed, who is accessing data, and any unusual activity.
That isn’t the only pitfall organizations make, according to Krebs.
The government was “lacking basic security precautions,” Krebs says, “including two-factor identification for access to sensative info.”
Request a free 90-day fraud alert from one of the three national credit bureaus (Experian, Equifax, and TransUnion). Although business don’t have to adhere to fraud alerts, Krebs says, requesting one will notify companies that you want them to confirm your identity before anyone issues credit in your name.
Krebs suggests contacting credit bureaus to freeze your credit altogether. (He gives more detailed instructions here.) Those orders are relatively easy to issue and remove, and absolutely no moves can be made while a freeze is in place.
Here are three more tips from Krebs on protecting your own computer, documents, and passwords:
“If you didn’t go looking for it, don’t install it.” Decline invitations from pop-up windows to download software you weren’t searching for.
“If you installed it, update it.” Software updates include protections against new malware and hacking trends, so even though it might take 15 minutes and require a restart, update weekly.
“If you don’t need it anymore, get rid of it.” Keeping old programs in your computer not only ties up space, but it’s one more thing you must regularly update. Save yourself the trouble.
Not Just Another Political News Roundup: Get Our “Washingtonian Today” Newsletter
A daily dose of DC life, politics, and culture—not just another political news roundup.
Benjamin Freed joined Washingtonian in August 2013 and covers politics, business, and media. He was previously the editor of DCist and has also written for Washington City Paper, the New York Times, the New Republic, Slate, and BuzzFeed. He lives in Adams Morgan.
Okay, You’ve Been Hacked. Now What?
Thanks to two related hacks, sensitive information for nearly everyone who’s worked for—or tried to work for—the federal government since 2000 is in the hands of some distant bad actor. So how are government employees supposed to protect themselves?
If you’re one of them, you can take very little, very cold comfort from this fact: “Your information has already been for sale for several years in the cybercrime underground,” Brian Krebs, founder of Krebs on Security, says. Citing large data breaches against Home Depot, Target, JPMorgan Chase, and other companies with tens of millions of customers’ data on file, University of Maryland University College cyber-security instructor Jeff Tjiputra agrees: “At this point, having your data stolen is normal,” he says.
While most people don’t have to worry about their nude selfies or browser histories coming to life, there is cause to believe that more than your Social Security number is at risk here.
Cyberattacks like the OPM incident aren’t for financial so much as for strategic gain, Krebs says. In this case, adversaries targeted federal employees with background investigations, and stolen information included background interviews and passwords.
“They want to know what your weaknesses are,” Krebs says. Whether it’s knowing your embarrassing habits or your familial and business connections, this information can be used for extortion, and eventually espionage, he says.
“Hackers may try to impersonate OPM,” Tjiputra says. “You don’t want to believe whoever calls you and says because I know your name, date of birth, and Social Security number, you should now give me additional information.”
But even people without security clearances can be hurt by stolen information.
“These days, you don’t have privacy or security unless you’re actively trying to curtail that activity,” Krebs says. “We’re long past the point where people can be passive about digital security.”
That also applies to businesses, including the federal government, which didn’t notice the digital intrusion for over a year.
Business are too focused on compliance—making sure they meet regulations, Krebs says. “They don’t spend nearly enough attention on continuous monitoring of their systems.” Companies should notice if new programs are being installed, who is accessing data, and any unusual activity.
That isn’t the only pitfall organizations make, according to Krebs.
The government was “lacking basic security precautions,” Krebs says, “including two-factor identification for access to sensative info.”
OPM has proposed offering a free credit-monitoring service. Use it, Tjiputra says. You should also request a free copy of your credit report at annualcreditreport.com
Request a free 90-day fraud alert from one of the three national credit bureaus (Experian, Equifax, and TransUnion). Although business don’t have to adhere to fraud alerts, Krebs says, requesting one will notify companies that you want them to confirm your identity before anyone issues credit in your name.
Krebs suggests contacting credit bureaus to freeze your credit altogether. (He gives more detailed instructions here.) Those orders are relatively easy to issue and remove, and absolutely no moves can be made while a freeze is in place.
Here are three more tips from Krebs on protecting your own computer, documents, and passwords:
Not Just Another Political News Roundup: Get Our “Washingtonian Today” Newsletter
A daily dose of DC life, politics, and culture—not just another political news roundup.
Benjamin Freed joined Washingtonian in August 2013 and covers politics, business, and media. He was previously the editor of DCist and has also written for Washington City Paper, the New York Times, the New Republic, Slate, and BuzzFeed. He lives in Adams Morgan.
Editors' Picks
A Murder on the Rappahannock River
DC Apartment Hunting Is Officially Bonkers, in the Most DC Way Possible
DC Types Have Been Flocking to Shrinks Ever Since Trump Won. And a Lot of the Therapists Are Miserable.
The Best (and Worst!) of Washington 2019
Most Popular in News
A Big Bob Ross Exhibit Will Open in September
Get to the Zoo Fast, Because Bei Bei’s Days in DC Could Be Numbered
30 Acres of Sunflowers Are Now Blooming in Maryland
After a Brutal Animal Attack, Chuck Brown’s Son Is Back in the Groove
DC Types Have Been Flocking to Shrinks Ever Since Trump Won. And a Lot of the Therapists Are Miserable.
July 2019: Boomers vs. Millennials
Related
A Look Inside One of the Country’s Biggest Vinyl Record Plants
What We Lost When We Lost Hank Dietle’s
WJLA’s TV Legends Are Vanishing. Does It Matter?
In Defense of 2016
More from News
Coco Gauff Is Coming to DC. Here’s How You Can See the 15-Year-Old Tennis Sensation
A Big Bob Ross Exhibit Will Open in September
Washingtonian’s Photo of the Day
You Can Adopt a Cat for Free at DC’s Humane Rescue Alliance
Get to the Zoo Fast, Because Bei Bei’s Days in DC Could Be Numbered
WTOP’s Wernher von Braun Screwup Demonstrates a Peril of Local Reporting
Washingtonian’s Photo of the Day
30 Acres of Sunflowers Are Now Blooming in Maryland