This story was updated at 11 a.m. to include the most recent enrollment numbers from Winvale, which provides credit monitoring for people impacted by the first OPM breach of personally identifiable information.
Federal employees don’t think their personally identifiable information (PII) is safer than it was one year ago, but new numbers from the Office of Personnel Management show those employees are not taking advantage of the free protection offered in the wake of the massive cyber breach.
About 21.5 million current and former federal employees and some of their family members were victims of the two OPM data breaches last year.
The first breach impacted about 4.2 million people and their PII, while the second breach reached the background information form submitted by intelligence and military personnel for security clearances.
Of that second group, only 11.36 percent — or 2.7 million people — have enrolled in free identity protection services provided by ID Experts, according to the latest data from the agency.
Winvale CEO Kevin Lancaster told Federal News Radio that the enrollment rate for current and former employees impacted by the first breach is 25.37 percent, or roughly a quarter of the original 4.2 million people affected by the first breach of PII.
“We are getting folks still enrolling,” Lancaster said June 7, adding that depending on the week enrollment can range from 100 to 1,000 people.
As part of the special report The OPM Breach: What’s different now, Federal News Radio conducted a survey that found about 55 percent of federal workers and government contractors thought their PII was not safer than it was a year ago when the breaches were announced.
An average of 13 percent said their information was safer, while roughly 30 percent said they were not sure whether their information was more secure.
OPM acting Director Beth Cobert said the agency is in the middle of implementing the provisions to expand the identity theft insurance and liability protection to $5 million instead of $3 million, and extend coverage to 10 years from 3 years as required by Congress in the fiscal 2016 spending bill passed and signed into law in December.
More than two-thirds of survey respondents said neither they nor a family member had received a notification that their information was used without their consent.
Jim Jones, associate professor of computer forensics at George Mason University, said that personal data is more at risk than it was a year ago, but not for lack of trying.
“[It’s] not because we’re not doing a lot of stuff, not because we’re not improving it over time,” Jones said, comparing the effort to a game of “Whack-A-Mole.” “We are doing all those things, but the threat is growing so much faster than we’re able to respond to it. The threat is so flexible and responsive in the sense that when we do something, we close one hole they simply move on to another one.”
Jones said cybersecurity requires a different way of thinking. That means accepting that somebody is likely going to access your data, but you can protect it in a way that “when they do, they won’t be able to do anything useful with it.”
One example would be reducing the significance of Social Security numbers.
“It should not be tied to getting new credit, buying a house, reordering your birth certificate,” Jones said. “It’s a bad piece of information, it’s un-protectable in its current form, so we should have something else. That way I don’t care if somebody gets it because it’s not usable. It’s like a one-time credit card, it’s only good for one transaction.”