OPM’s lack of transparency on cyber breach leaves feds frustrated, ill informed

No matter if they’re old, young, active or retired, federal employees are not satisfied with the amount of information they’re getting from the Office of Personnel Management and their own agencies about the recent data breaches, according to an online survey conducted by Federal News Radio.

When asked how they would rate OPM’s communication with current and former federal workers about the breach, an overwhelming number — 78 percent — of respondents rated the communication as “poor.” An additional 12 percent rated it as “fair.” Only 3 percent described it as “good” and less than 1 percent said it was “excellent.”

Asked whether OPM’s information was helpful, only 10 percent said they understood what happened and what they should do next. Most respondents either said they had no idea what was happening or what they should do (33 percent) or thought they understood, but weren’t sure what they should do next (31 percent).

“When it came to the first breach, the one that was announced to the employee/retiree groups, like NARFE, on June 4, OPM did the best they could in getting this information out,” said Jessica Klement, legislative director of the National Active and Retired Federal Employees. “They held two separate conference calls, with the employee/retiree organizations. Their staff was responsive. The website was ready to go. They may not have had all the information, but at least they let us know what they knew at the time.”

Advertisement

That all changed on June 12 when OPM made the announcement about the second data breach.

“The information coming from OPM has essentially all but ceased,” Klement said. “We have no information on who was affected, to what extent the hackers were able to get certain information. You watch the hearing before the House Oversight and Government Reform Committee, nearly every question is answered with, ‘That’s classified. We’ll discuss it at our classified briefing,’ which is furthering speculation in the federal community as to what this might mean for not only employees and retirees, but their families, people they included on any background checks, prospective federal employees, who went through the security clearance process, but ultimately were not hired. OPM can’t even answer how many people this affected, the second breach. The first one was 4 million. Media reports say 14 million. OPM is saying, ‘We don’t know.’ I think the level of frustration between June 4 and June 12 has grown exponentially.”

Todd Wells, executive director of the Federal Managers Association, said some members of his organization have reached out to him. They expressed concern about the breach, but not any panic about it.

“What I’m hearing is that folks are anxious, but that their agencies and departments are getting the information that OPM has sent out to the folks,” he said. “It just sounds like the hardest part is waiting to hear if they’ve been compromised or not, and there is that wait that’s frustrating folks.”

Most of the people responding to the survey — 65.01 percent — said they’d received an official communication from their agency notifying them about the OPM breach. Additional information came from agency chief human capital officers, chief information officers, direct supervisors and a variety of other officials within their agencies.

Much of the frustration, according to Wells, is around how long it took OPM to reveal that the first breach had occurred. The breach took place last December, but the agency didn’t reveal that until six months later.

“It’s not that they’re blaming OPM,” he said. “They understand that these things happen these days. They wish that it had not and they wish that they had been notified sooner. But they’re not really complaining that the process has been handled poorly.”

Wells did mention the one “hiccup” his members encountered was that the first telephone number OPM released for people to call in for information didn’t work. That issue has since been resolved.

“Most people want to be proactive in a situation like this,” he said. “Being told that the week before that they would be notified starting the following Monday and then for the next two weeks or so, if they had been compromised. That just puts people on pins and needles.”

OPM may have trouble reaching some retirees and former feds

While OPM and other agencies should be able to easily reach current federal workers via email or mail, the lines of communication may be more problematic when it comes to contacting some retirees and younger, former federal employees.

Survey: What remaining questions/comments do you have about the data breach?
  • “Was my data breached, what data exactly, what needs to be done to protect myself short and long term. How long will credit monitoring etc be provided to the affected parties?”
  • “I’ve been inundated with information (some which is accurate, some not) regarding the breach and tired of hearing about it in the media. With all the technology out there we will continue to have breaches in the private and public sector.”
  • “It is ironic that in order to sign up for services to protect you, you must supply them with your Social Security number, and then be asked “If you are a robot”. I guess we haven’t learned our lessons at all.”
  • “What now? If the info is already leaked out isn’t it too late now? They already have my info.”
  • “What about the information of family members and others contained in our files? No mention to how they may be affected by this breach and I believe 18 months is to short an amount of time to offer protection due to the level of the breech and the amount of information that was lost. Basically in 18 months we either have to financially bear the brunt of this breech or leave our personal data unprotected and available to be used. Hackers have been know to sit on this type of info for years prior to launching a attack on the victim.”

“If you’re at work, certainly if they’re not retirees, they’re getting the same information through all the same channels,” he said. “It’s coming down through their agencies and departments, from OPM through email. Notices are even being put up. They’re hearing it in the national news. Organizations like ours are sending them emails. Of course, ultimately, if they don’t have an email address that they believe is valid, they’ll be sending a letter through the U.S. mail. I think we’re going to have to wait and see how it affects retirees.”

Many FMA members are retirees, many of whom may not be checking their email regularly.

“The world is so tuned into email and the Internet and the national news. Federal News Radio is reporting on it,” Wells said. “I don’t think there’s a best practice necessarily that’s going to fit everybody. But to hit all the outlets like we are going with email for the folks so they can react as quickly as possible, but U.S. mail for the folks that we don’t have good data for. I don’t think OPM can do anything better than that. I’m thankful the media’s reporting on it and then groups like ours, the unions that are reaching out to their folks that may be retired or active too. I don’t think there’s anything better to do than what’s being done right now.”

If a former federal employee is in the old Civil Service Retirement System or paid into a Thrift Savings Plan account, their contact information should be available.

“There’s probably data about where they are, since they’re getting an annuity. They’re getting their pension paid out of that,” Wells said. “I actually wonder about some of the younger feds who may have worked for the government for five years and then have left the government. Under FERS, maybe they didn’t even keep their money in TSP. … They may be the ones that are more challenging to catch up to, simply because they change emails more often, potentially. They’re younger and they may move more often. That’s certainly something that happens when you’re younger. We’re actually thinking that that might turn out to be the bigger problem.”

Virginia Hill, the president of the Young Government Leaders’ National Board, agreed with Wells that could be more of a concern for young people who no longer work for the federal government. Once a person leaves the government, they no longer have access to their agency’s personnel system, so they wouldn’t able to update their contact information.

“That’s also not something that’s built into people’s job and time frame in order to actually keep up with individuals who have separated from the government,” Hill said. “So, certainly, reaching people could be a huge problem.”

Hill said her organization’s members recognize the seriousness of the data breach.

“I do think that there’s a temptation to be in denial, to feel a little bit out of control,” she said. “Given that this is not the first time that this has happen, that there’s been other data compromises recently for not only stores that people frequent, like Target, but also health care companies, and personal information has been released. So, I think that could potentially lead to people feeling like, ‘Oh, not again,’ and, ‘Oh, there’s nothing we can do about this. So we have to watch both mindsets.”

YGL members are asking the organization a lot of questions about the breach, from credit implications to how a breach like this could happen and what could a foreign government do with their personally identifiable information (PII).

“There’s a lot of questions about personal security and not just personal finance,” Hill said. “I think those are the things that we’re starting to hear a lot of people raise questions and be skeptical about, what might be the result of something like this.”

Some YGL members are even wondering what the long-term effects of the data breach might be, especially after the 18 months of credit monitoring that OPM is offering runs out.

“For younger feds, it’s almost like this may even feel more typical, and that’s a real shame,” Hill said. “Say somebody with only a few years of government experience, they may already have gotten three letters from OPM at this point about different breaches or PII that has been released. This is the type of thing that young feds are especially worried about government reputation. And as they’re starting their career in government, is this a safe place for me to work? Not only for my personal information and personal security, but in general, is government able to be entrusted with this information? I think that’s something that young feds are wondering at this point.”

Frequent communication is important, Hill said, adding that are four major components that would be helpful for OPM and managers governmentwide to address:

  • What is believed or known to be true at this moment, even if that news might change.
  • What steps should individuals take? “What are the specific actions of those that are affected by this breach need to take?” Hill said. “That’s a big one, because both young and seasoned employees, we have full schedules outside of work. So, providing suggested timelines to really help them make this a priority and the actions that they need to take will help to mitigate the negative response.”
  • Feds young and old need to know when they can expect a followup communication.
  • Where can individuals go to receive official correspondence and resources? “Directing them to a website or some kind of guide, step-by-step instructions, a place where they can receive additional resources would be really helpful,” Hill said.

Retired feds have their own concerns about getting more information about the breach

Klement said that the top question members of NARFE are asking is if the breach impacted retirement records.

“Their retirement records have their annuity number, their bank account information, where their allotments go, things of that nature,” she said. “And they’re really worried that these hackers may have access now to their bank accounts. Unfortunately, while we were very confident that the June 4 announcement of the breach did not include retirement records, we have been unable to get an answer from OPM whether this second breach, this larger breach did impact retirement records.”

Klement said retired feds don’t necessarily feel “out of the loop” compared to working feds when it comes to getting information, but they don’t have access to agency HR departments or even talking to fellow employees where they could get their questions answered.

“When you sit in your workplace, you talk to your colleagues. You share information. You share, ‘Oh, I got the letter today. Did you also get the letter? What steps should we take?’ There’s a lot of water cooler talk when big events like this happen, and retirees don’t have that opportunity,” she said.

In that scenario, retirees are turning to federal employee unions or organizations like NARFE to answer their questions.

“Unfortunately, since last Friday and the announcement of this second breach, we’ve had very little information to share with them,” Klement said.

For older retirees, the best information they’ll receive is probably from the Postal Service, she said.

“It’s not as up-to-the-minute as an email or a website update,” Klement said. “I can tell you from the personal experience with NARFE members, there are a lot of retired folks out there who are not comfortable with email. They don’t have a computer in their homes. So, really, they’re going to have to rely on either what’s in the printed newspaper or wait to get that letter physically in the mail from OPM.”

NARFE dedicated a webpage to the breach, which will be updated as often as possible. It will also write about it in its monthly magazine.

“We’ll do everything we can to keep NARFE members informed, but it would be helpful if OPM did their part in keeping those affected informed as well,” she said.

Read all of Federal News Radio’s coverage of the OPM Cyber Breach.

RELATED LINKS:

OPM’s archaic IT infrastructure opened door for massive data breach

Agencies notify employees of 2nd cyber breach

OPM warns 4 million federal employees following cyber-intrusion

Copyright © 2019 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.