Thanks to two related hacks, sensitive information for nearly everyone who’s worked for—or tried to work for—the federal government since 2000 is in the hands of some distant bad actor. So how are government employees supposed to protect themselves?
If you’re one of them, you can take very little, very cold comfort from this fact: “Your information has already been for sale for several years in the cybercrime underground,” Brian Krebs, founder of Krebs on Security, says. Citing large data breaches against Home Depot, Target, JPMorgan Chase, and other companies with tens of millions of customers’ data on file, University of Maryland University College cyber-security instructor Jeff Tjiputra agrees: “At this point, having your data stolen is normal,” he says.
While most people don’t have to worry about their nude selfies or browser histories coming to life, there is cause to believe that more than your Social Security number is at risk here.
Cyberattacks like the OPM incident aren’t for financial so much as for strategic gain, Krebs says. In this case, adversaries targeted federal employees with background investigations, and stolen information included background interviews and passwords.
“They want to know what your weaknesses are,” Krebs says. Whether it’s knowing your embarrassing habits or your familial and business connections, this information can be used for extortion, and eventually espionage, he says.
“Hackers may try to impersonate OPM,” Tjiputra says. “You don’t want to believe whoever calls you and says because I know your name, date of birth, and Social Security number, you should now give me additional information.”
But even people without security clearances can be hurt by stolen information.
“These days, you don’t have privacy or security unless you’re actively trying to curtail that activity,” Krebs says. “We’re long past the point where people can be passive about digital security.”
That also applies to businesses, including the federal government, which didn’t notice the digital intrusion for over a year.
Business are too focused on compliance—making sure they meet regulations, Krebs says. “They don’t spend nearly enough attention on continuous monitoring of their systems.” Companies should notice if new programs are being installed, who is accessing data, and any unusual activity.
That isn’t the only pitfall organizations make, according to Krebs.
The government was “lacking basic security precautions,” Krebs says, “including two-factor identification for access to sensative info.”
Request a free 90-day fraud alert from one of the three national credit bureaus (Experian, Equifax, and TransUnion). Although business don’t have to adhere to fraud alerts, Krebs says, requesting one will notify companies that you want them to confirm your identity before anyone issues credit in your name.
Krebs suggests contacting credit bureaus to freeze your credit altogether. (He gives more detailed instructions here.) Those orders are relatively easy to issue and remove, and absolutely no moves can be made while a freeze is in place.
Here are three more tips from Krebs on protecting your own computer, documents, and passwords:
“If you didn’t go looking for it, don’t install it.” Decline invitations from pop-up windows to download software you weren’t searching for.
“If you installed it, update it.” Software updates include protections against new malware and hacking trends, so even though it might take 15 minutes and require a restart, update weekly.
“If you don’t need it anymore, get rid of it.” Keeping old programs in your computer not only ties up space, but it’s one more thing you must regularly update. Save yourself the trouble.
Benjamin Freed joined Washingtonian in August 2013 and covers politics, business, and media. He was previously the editor of DCist and has also written for Washington City Paper, the New York Times, the New Republic, Slate, and BuzzFeed. He lives in Adams Morgan.
Okay, You’ve Been Hacked. Now What?
Next steps for anyone affected by the OPM mess.
Thanks to two related hacks, sensitive information for nearly everyone who’s worked for—or tried to work for—the federal government since 2000 is in the hands of some distant bad actor. So how are government employees supposed to protect themselves?
If you’re one of them, you can take very little, very cold comfort from this fact: “Your information has already been for sale for several years in the cybercrime underground,” Brian Krebs, founder of Krebs on Security, says. Citing large data breaches against Home Depot, Target, JPMorgan Chase, and other companies with tens of millions of customers’ data on file, University of Maryland University College cyber-security instructor Jeff Tjiputra agrees: “At this point, having your data stolen is normal,” he says.
While most people don’t have to worry about their nude selfies or browser histories coming to life, there is cause to believe that more than your Social Security number is at risk here.
Cyberattacks like the OPM incident aren’t for financial so much as for strategic gain, Krebs says. In this case, adversaries targeted federal employees with background investigations, and stolen information included background interviews and passwords.
“They want to know what your weaknesses are,” Krebs says. Whether it’s knowing your embarrassing habits or your familial and business connections, this information can be used for extortion, and eventually espionage, he says.
“Hackers may try to impersonate OPM,” Tjiputra says. “You don’t want to believe whoever calls you and says because I know your name, date of birth, and Social Security number, you should now give me additional information.”
But even people without security clearances can be hurt by stolen information.
“These days, you don’t have privacy or security unless you’re actively trying to curtail that activity,” Krebs says. “We’re long past the point where people can be passive about digital security.”
That also applies to businesses, including the federal government, which didn’t notice the digital intrusion for over a year.
Business are too focused on compliance—making sure they meet regulations, Krebs says. “They don’t spend nearly enough attention on continuous monitoring of their systems.” Companies should notice if new programs are being installed, who is accessing data, and any unusual activity.
That isn’t the only pitfall organizations make, according to Krebs.
The government was “lacking basic security precautions,” Krebs says, “including two-factor identification for access to sensative info.”
OPM has proposed offering a free credit-monitoring service. Use it, Tjiputra says. You should also request a free copy of your credit report at annualcreditreport.com
Request a free 90-day fraud alert from one of the three national credit bureaus (Experian, Equifax, and TransUnion). Although business don’t have to adhere to fraud alerts, Krebs says, requesting one will notify companies that you want them to confirm your identity before anyone issues credit in your name.
Krebs suggests contacting credit bureaus to freeze your credit altogether. (He gives more detailed instructions here.) Those orders are relatively easy to issue and remove, and absolutely no moves can be made while a freeze is in place.
Here are three more tips from Krebs on protecting your own computer, documents, and passwords:
Benjamin Freed joined Washingtonian in August 2013 and covers politics, business, and media. He was previously the editor of DCist and has also written for Washington City Paper, the New York Times, the New Republic, Slate, and BuzzFeed. He lives in Adams Morgan.
Most Popular in News & Politics
What It Felt Like for a Virginia Marching Band to Win Metallica’s Contest
Meet the 2023 Washingtonians of the Year
What’s IN and OUT in DC Restaurant Trends for 2024
Introducing 8 of DC’s Most Stylish
Washingtonian Magazine
April 2024: Great Places to Live
View IssueSubscribe
Follow Us on Social
Follow Us on Social
Related
13 Major Concerts and Music Festivals in the DC Area This Spring
Mary Timony on Her Emotional New Album, “Untame the Tiger”
The Beatles in DC: A New Exhibit in Maryland Looks Back on Early Beatlemania
Northern Virginia High School Wins Metallica’s Marching Band Competition
More from News & Politics
Taylor Swift Class Will Be Offered at American University
You Can Still Get Tickets to See Caitlin Clark Play in DC
The Capital Pride Parade Won’t Go Through Dupont Circle This Year
Why Did WAMU Close DCist?
Botox in Your Twenties? More People Under 30 Are Getting Cosmetic Treatments.
Did Eugene Vindman Pose With a Confederate Flag?
Want to See Caitlin Clark Play in DC? Prepare to Shell Out Some $$$.
Hozier and Laufey Will Headline This Year’s All Things Go Festival