Still wondering if OPM cyber breach impacted you? Now you can find the answer

[Inga Goddijn <inga () riskbasedsecurity com>]

http://federalnewsradio.com/opm-cyber-breach/2015/12/still-wondering-opm-cyber-breach-impacted-now-can-find-answer/

The Office of Personnel Management has sent out more than 17 million
letters to victims of the second massive data breach. But federal employees
and their family members who still are waiting to hear if they were
impacted by cyber attack now have a place to go and find out.

OPM officially opened the verification center
<http://www.opm.gov/cybersecurity> for business Dec. 1, specifically for
those former and current federal employees and their families who haven’t
received letters, but think they may have been impacted, and for those
people who have received letters but their personal identification number
(PIN) isn’t working or has been lost.

But a senior OPM official is asking them to wait at least another week to
10 days until OPM finishes sending out letters to about 93 percent of the
estimated 21.5 million former and current federal employees and their
families.

OPM says the site will be available through the end of December 2018. OPM
says if individuals cannot get their questions answered online, they may
request assistance by calling 866-408-4555 and speaking with an agent. The
call center will be open from 9 a.m. to 9 p.m. Eastern Standard Time,
Monday through Friday.

“The individual will call or preferably go online to the verification
center’s website and they will be asked for information about themselves
like their Social Security number, name, date of birth, address and other
information, but then they will not receive immediate feedback — a yes or
no as to whether they’ve been affected,” said the senior official, who
requested to speak on background in order to talk about the site before it
was officially launched. “Once that information is submitted, they will
receive a Postal Service letter in the mail two to four weeks later. It
will include a 25-digit PIN number if they have been impacted. If they have
not been impacted, the letter will state that.”

The official said the reason for the further delay in getting the notice is
two-fold. First, the official said it’s related to security and protecting
the current or former employees’ personal information.

“We’ve made the determination that security is really one of the most
important aspects of it, and we are trading off some customer experience
for security experience,” the official said. “We want to make sure that we
are securing individuals’ information and that we are doing the due
diligence to do verification. The verification website is not directly
connected to the government database we are using for the matching or
verification. The verification center will input the employees’ data, move
the data to the government system to verify whether or not they were
impacted. Then we will develop a mailing list through the Defense Logistics
Agency and send the letters to USPS for mailing.”

The official said the second reason is related to an additional measure to
protect sensitive populations in the database, such as those with top
secret clearances.

OPM said back in November
<http://federalnewsradio.com/opm-cyber-breach/2015/11/opm-breach-notification-center-live-not-yet-open-public/>
the verification center was close to opening and undergoing testing.

The Defense Information Systems Agency awarded a $1.8 million contract to
Advanced Onion, Inc.
<http://federalnewsradio.com/opm-cyber-breach/2015/10/disa-announces-ja-opm-cyberbreach-award/>
in September to build the online notification center for OPM, as well as a
system that tracks notification letters that have bounced back.

“We know we need a resource
<http://federalnewsradio.com/opm-cyber-breach/2015/11/opm-set-verification-center-cyber-breach-victims/>
for people who have been impacted but for whatever reason haven’t received
a letter, and we need a resource for people who want to find out,” the
official said. “One of things we know is the way we take data out of
system, like data about spouses goes away more quickly than that of
applicants. We know there are 1.8 million spouses or cohabitants as part of
the 21.5 million person notification, and undoubtedly more than that have
been in system. We anticipate those people may believe they have been
impacted, but actually their data has gone out of system but want to know
their status.”

One common challenge for OPM has been keeping up with the volume of former
and current federal employees calling or contacting them about the breach.

The official said the agency worked with DoD to load test the website and
have performance measures in place through the contract with ID Experts
<http://federalnewsradio.com/cybersecurity/2015/09/opm-announces-contract-for-id-theft-and-credit-monitoring-protection/>
awarded in September to ensure they can handle the expected call center
volumes.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!