Phishing scam poses as OPM hack notifications

As OPM is contacting the millions of potential victims, hackers are doing the same.

In the latest development, DOD  its Web-based Joint Personnel Adjudication System, which tracks background investigations, until OPM fixed security holes in the tool OPM uses to link to DOD’s system.

While the Office of Personnel Management is busy notifying 14 million (or 18 million, or 32 million!) people about the hack of personal information from OPM databases, hackers are apparently doing the same thing.

The U.S. Computer Emergency Readiness Team has issued an alert warning of phishing scams using emails that pretend to be from OPM or the identity protection firm CSID, which OPM hired to help with the notifications. The alert doesn’t go into what the phony emails say or place in their subject lines, but it does say that the correct website for identity protection services is https://opm.csid.com. It also asks people to report any suspicious activity to US-CERT.

Meanwhile, the impact of the breach, which has been unofficially but widely blamed on China, continues to grow. When the initial hack was first reported on June 4, OPM said it affected 4 million current and former civilian employees. Later, it was revealed that another database with information on people undergoing background checks had been compromised, exposing the records of 9 million to 14 million current, former and prospective personnel, including some in the military and intelligence agencies.

More recently, the number of records exposed was put at 18 million, with speculation that it could be a lot more. Rep. Jason Chavetz (R-Utah), citing information in OPM’s 2016 budget request, recently put the number at 32 million, including 2 million people receiving annuities and 30 million who had undergone background checks, Politico reported.

The state of those records also is under scrutiny. Five years ago, OPM proposed merging intelligence agency personnel records with OPM’d system. Intelligence officials initially refused precisely because of the danger of exposing their records to a hack. But in 2014 they apparently relented, and began merging the intel database with OPM’s, according to a report in the Daily Beast.

OPM’s files also weren’t encrypted, although a Homeland Security Department official told Congress that wouldn’t have mattered in this particular case since the hackers had obtained valid user credentials, possibly through phishing, and would not have been deterred by security steps.

has taken offline