OPM breach NOT bigger than previously admitted (CORRECTED)

CORRECTION: An alert reader notified this site that NextGov had goofed in reporting that OPM had recently revealed that the breach was larger than previously reported. NextGov has retracted that part of their story and issued an Editor’s Note: Editor’s Note: The original version of this article erroneously stated that the Office of Personnel Management  had acknowledged for the first time that the 2015 background check breach had potentially impacted tens of millions more people than had been originally disclosed. OPM had in fact previously published information on the wider impact of the breach. Nextgov regrets the error, and has updated the article below to remove the incorrect information.   Original story from DataBreaches.net now removed in light of the above. Sorry, folks, and thanks, Theresa.  

In wake of OPM breach, few sign up for protection services

Meredith Somers reports: Federal employees don’t think their personally identifiable information (PII) is safer than it was one year ago, but new numbers from the Office of Personnel Management show those employees are not taking advantage of the free protection offered in the wake of the massive cyber breach. About 21.5 million current and former federal employees and some of their family members were victims of the two OPM data breaches last year. Of that group, only 11.36 percent — or 2.7 million people — have enrolled in free identity protection services provided by ID Experts, according to the latest data from the agency. An exclusive Federal News Radio survey found that about 55 percent of federal workers and government contractors thought their PII was not safer than it was a year ago when the breaches were announced. Read more on Federal News Radio. I’m not sure that failure to sign up for the identity protection services indicates little interest in protecting the information. Some of the 21.5 million may already have such services as a result of other breaches, and some may have just put security freezes on their credit reports. It will be interesting to see what happens to the sign-up rate once OPM issues its revised offering that will provide protection services for 10 years instead of the three currently offered.

In wake of OPM breach, DoD proposes hack victim database

Roy Urrico reports: Weeks after the Federal government began sending snail mail notifications to the 21.5 million victims of the Office of Personnel Management breach, the Department of Defense proposed creating a hack victims database. The Pentagon’s proposed database, the Defense Manpower Data Center, would store the information in a “holding file,” according to an Oct. 14 Federal Register notice. “The information collected will be used only to verify whether or not an individual was impacted by the OPM cybersecurity incident involving background investigation records and to send a letter confirming status as ‘impacted’ or ‘not impacted’ by this incident,” the proposal stated. Read more on Credit Union Times.

CIA Withdrew Officers From US Embassy In Beijing After OPM Breach: Report

Aditya Tejas reports: The U.S. Central Intelligence Agency (CIA) pulled a number of officers from the American Embassy in Beijing as a precautionary measure after a massive cyberattack in June compromised the personal data of over 22 million federal employees, according to a report Tuesday. U.S. officials reportedly said the data breach was conducted by a hostile party to identify spies and other American officials who could be blackmailed to provide information. The records, stolen from the Office of Personnel Management (OPM), contain the background checks of State Department employees. Read more on International Business Times.

Meanwhile, back at the OPM breach….

Victims of the breach still have not been notified. OPM will start sending postal laters “later this month.” The government will spend $133 million on identity theft protection services. With options, it could go up to $330 million. ID Experts (Identity Theft Guard Solutions LLC) got the gig to provide the service, which will provide three years of credit monitoring and $1 million in identity restoration insurance to affected employees and their minor children. CSID got the gig to provide services to the 4.2 million employees whose personal data was compromised in the initial reports of the breach.

The OPM breach details you haven’t seen

Sean Lyngaas reports: An official timeline of the Office of Personnel Management breach obtained by FCW pinpoints the hackers’ calibrated extraction of data and the government’s step-by-step response. It illuminates a sequence of events that lawmakers have struggled to pin down in public hearings with Obama administration officials. The timeline makes clear that the heist of data on 22 million current and former federal employees was one sustained assault rather than two separate intrusions to steal background investigation data and personnel records. The document, which bears the seals of OPM and the Department of Homeland Security, is dated July 14 and was prepared by federal investigators for the office of U.S. CIO Tony Scott, according to a source familiar with the investigation. The detailed timeline corroborates administration officials’ public testimony but is unique in its comprehensiveness and specificity. Read more on FCW. h/t, @Water_Steve

Hackers got FBI files as part of OPM breach

Cory Bennett reports: Suspected Chinese hackers breached FBI agents’ personnel files as part of the broader attack on the federal government that has laid bare millions of people’s data, Newsweek reported. Putting FBI agents’ data at risk could have national security implications; many investigate domestic terrorist plots and foreign spies.   Read more on The Hill.

Updates on OPM breach(es)

Some bits ‘n pieces of the follow-ups on the OPM hack… Malia Zimmerman reports: In addition to data from the OPM breach, Roberts said a new OWL search has uncovered another 9,500 government log-in credentials stolen this week from a variety of county, state and federal agencies across the nation, for everything from the Obamacare site, Healthcare.gov, the Internal Revenue Service, the U.S. Census Bureau, and U.S. Court System to the Child Support agency and Unemployment Agency in Ohio. Read more on FOX News And Andy Greenberg reported: At first, the government said the breach exposed the personal information of approximately four million people—information such as Social Security numbers, birthdates and addresses of current and former federal workers. Wrong. It turns out the hackers, who are believed to be from China, also accessed so-called SF-86 forms, documents used for conducting background checks for worker security clearances. The forms can contain a wealth of sensitive data not only about workers seeking security clearance, but also about their friends, spouses and other family members. They can also include potentially sensitive information about the applicant’s interactions with foreign nationals—information that could be used against those nationals in their own country. What’s more, in initial media stories about the breach, the Department of Homeland Security had touted the government’s EINSTEIN detection program, suggesting it was responsible for uncovering the hack. Nope, also wrong. Read more on Wired. You may have seen earlier news reports that OPM’s hacked database was up for sale on the dark web, but Brian Krebs says it’s not true: A database supposedly from a sample of information stolen in the much publicized hack at the Office of Personnel Management (OPM) has been making the rounds in the cybercrime underground, with some ne’er-do-wells even offering to sell it as part of a larger package. But a review of the information made available as a teaser indicates that the database is instead a list of users stolen from a different government agency — Unicor.gov, also known as Federal Prison Industries. Read more on KrebsOnSecurity.com. And finally (for now), if you’re affected, your notification letter is coming. Seth Robson reports: The Office of Personnel Management plans to soon notify federal employees whose personal information was hacked in a massive data breach that was discovered earlier this month. The hackers, who unnamed U.S. officials say have ties to the Chinese government, appear to have breached the computer system run by OPM, with the personal information of up to 14 million government and military employees possibly compromised, according to The Associated Press. Read more on Stars and Stripes.

Russian Ministry for Digital Development proposes turnover fines for data breaches

RAPSI News reports: The Ministry for Digital Development, Communications and Mass Media of the Russian Federation is preparing a bill on turnover-based fines for the personal data breach. This additional responsibility is to put business up to invest in the development of the information safety infrastructure and the personal data protection, a statement released on the Ministry’s Telegram channel reads. Currently, legal entities face fines of 500,000 rubles (about $8,500) for the leak of personal data. Read more at RAPSI