The president of the American Federation of Government Employees is taking the Office of Personnel Management to task for not providing more detailed information about the massive cyber breach that may have exposed the personally identifiable information of 4 million current and former federal employees to hackers.
“OPM has attempted to justify the withholding of information on the breach by claiming that the ongoing criminal investigation restricts your ability to inform us of exactly what happened, what vulnerabilities were exploited, who was responsible for the breach, an how damage to affected individuals will be compensated,” wrote AFGE National President J. David Cox Sr. in a letter to OPM Director Katherine Archuleta.
Cox also said that “based on sketchy information OPM” has provided, the union believed the hackers targeted the Central Personnel Data File, potentially giving them access to personnel data for every federal employee, retiree and up to 1 million former feds.
“We believe that hackers have every affected person’s Social Security number(s), military records and veterans status information, address, birth date, job and pay history, health insurance, life insurance, and pension information; age, gender, race, union status, and more,” Cox wrote. “Worst, we believe that Social Security numbers were not encrypted, a cybersecurity failure that is absolutely indefensible and outrageous.”
An AFGE official told Federal News Radio that the intent of Cox’s letter was to only push OPM to be more transparent about what happened and to offer details with a sense of urgency.
The official said the suggestion that more data has been compromised than initially reported is based on an educated guess. But OPM has told AFGE that since it’s an active investigation no more details are available.
Richard G. Thissen, president of the National Association of Retired Federal Employees, said that his organization is calling on OPM to respond to AFGE’s claims.
“At this point, we believe AFGE’s assessment of the breach is overstated,” Thissen said, in a statement. “OPM commented to a Washington, DC, news station that it continues to believe 4.2 million individuals are affected. Additionally, OPM does not keep congressional or military employment data.
“We are also asking OPM to provide additional information on those 4.2 million individuals and what personal information was exposed. NARFE feels the federal community is entitled to know the extent of the breach in order for federal employees, former employees and retirees to take the proper precautions to protect themselves.”
During a briefing today, White House press secretary Josh Earnest said that due to the sensitive nature of the ongoing investigation, the administration was reluctant to talk openly about what information could be disclosed.
“The precise scope of how much and what type of data has been exfiltrated is something that, again, continues to be investigated by the FBI and other technical experts,” he said. “But we have already begun the process of contacting those that we thus far believe could potentially have been affected in a serious way. And if additional notifications are necessary, that’s something that we will — that responsibility is one that we take seriously. As additional notifications are necessary, we’ll make them.”
In his letter, Cox called the $1 million in liability insurance and 18 months of credit monitoring OPM is providing to affected employees “entirely inadequate,” adding that the agency at least owes the affected employees lifetime credit monitoring and insurance.
“Further, the fact that OPM has outsourced to a contractor, CSID, the responsibility for answering affected employees’ questions adds insult to injury,” he wrote. “The terms of the contract apparently do not include guaranteed access to a living, breathing human being knowledgeable enough to answer questions.”
AFGE asked OPM to reconsider that decision.
“Federal employees who have been victimized by this breach deserve more than a difficult-to-navigate website and call center contractors who do not know the answers to questions that go beyond a FAQ template,” Cox wrote.
In addition, Cox pointed out that affected employees would have difficulty dealing with the breach, since they are prohibited from using their government computers for non-work purposes. He requested that OPM coordinate the release of directives from agency secretaries in order to provide the necessary exceptions so that employees could deal with the effects of the breach on their government computers.
Tell us what you think: Has the Office of Personnel Management been open enough? Are current and former feds satisfied with the information they are receiving from the government? And do they fully understand what to do with it to protect themselves? We want to know what you think. Take our brief, anonymous survey and let us know your thoughts.