Editor’s note: This story has been updated to state the cyber breach occurred in December 2014, not April 2015, as OPM originally said. OPM became aware of the breach in April. It learned in May 2015 that personal information was compromised.
Next week, the Office of Personnel Management will begin telling up to 4 million people that they are potential victims of a cyber breach that happened in December. Hackers may have their names, Social Security Numbers, birthdates, job assignments, training files, performance ratings and current and former addresses, according to OPM Press Secretary Samuel Schumach.
If you’re a victim, you will get an email from firstname.lastname@example.org or a letter stating exactly what information may have been compromised, he said.
The hackers grabbed employment data from current and former federal employees. There is no sign that any uniformed military personnel were affected, according to defense officials. Neither were retiree records, including those of spouses and survivors, according to National Active and Retired Federal Employees Association President Richard Thissen.
“Some of you might think you’re not of interest because you don’t have access to classified information. You are mistaken,” Payne said in the video. “Foreign intelligence services aggregate large volumes of information, some of which can have significant national-security value. Additionally, they are able to identify people who are in positions with access to significant national security information and can use that data to target individuals.”
Be wary of new friends with whom you seem to have too much in common, he said. Also be careful about opening emails with attachments, even if they appear to come from someone you trust. It could be an attempt to unleash a virus that steals your computer data and tracks your keystrokes.
So what can you do now — months after the attack &mndash; to protect your identity?
OPM offers free credit monitoring and ID theft services
The agency is offering free credit monitoring services and identity theft insurance for 18 months. Beyond that, it recommends monitoring your financial account statements for unusual activity, requesting a free credit report and placing a fraud alert on your credit file by calling TransUnion at 1-800-680- 7289.
Its website also lists some basic tips on staying safe, like trying to verify the identity of strangers who call, visit or email you asking for personal information about you, your agency or colleagues.
OPM’s tips are a good beginning but do not go far enough, said Jerry Irvine, chief information officer of Prescient Solutions.
“Especially in the first 30 to 60 days, [victims] should be looking at their credit reports weekly,” he said. “It’s not a possibility that they’re going to get hacked. It’s a probability. Hackers don’t go to this extent to get data and not use it.”
Cybersecurity tips for social media
OPM’s guidance fails to mention social media accounts like LinkedIn and Facebook, but those are the Achilles’ heel for cyber victims. By knowing a victim’s personal information, it’s much easier for hackers to guess at their user names and passwords, Irvine said.
“They weren’t breached, but access to that personally identifiable information will allow these malicious users to get information to target them,” he said.
He recommends changing both the user IDs and passwords, and using a different password for each account.
People who hold security clearances should take extra precautions to hide their locations online so they don’t risk physical assault, he said.
“It sounds like something out of Mission Impossible, but it’s real,” Irvine said. “It would be a good idea to change daily routines and to disable location services on your phones, tablets, computers and even the camera on your mobile device. It puts GPS coordinates on your photos.”
People with high-level security clearances shouldn’t even be on social media, he said. But if you are, you can tighten your security-access controls. For example, on Facebook, make sure that only friends — and not friends of friends — can see your posts and information.
Check in with your doctor
In addition to alerting your bank about your financial records, tell your healthcare providers to guard your medical records carefully, suggested Tyler Reguly, manager of security research for Tripwire.
“If you aren’t on a first name basis with your doctor or pharmacist, consider asking them to put a note on file to check your ID whenever you come in or pick up a prescription and ask your doctor not to accept telephone requests for prescription refills,” he said.