US Personnel Agency Isn't Sure How to Tell Millions of People They Got Hacked

The US government's human resources agency has suffered two large data breaches on its systems in large part because it failed to heed warnings from its own overseers, who had identified serious security issues for years. Now seems the Office of Personnel Management (OPM), whose breach hit at least 4.2 million government workers, can't even deal with the aftermath of the hack the right way.

"Every aspect of the OPM breach is a case-study in how not to prepare for and respond to an intrusion," Robert Lee, a security researcher who believes he may have been a victim of the breach, told Motherboard.

On Monday, June 8, the agency started sending emails to the victims to notify them of the breach and to offer free identity theft and credit monitoring services. But instead of sending the emails from an OPM.gov address, OPM outsourced this service to CSID, a fraud detection company.

As a result, many victims got suspicious.

"There was just concern, of course, with phishing attempts and things like that," OPM spokesperson Samuel Schumach told Motherboard. "People were uncomfortable clicking on an enroll now button on an email."

The Department of Defense even asked OPM to instruct CSID to stop sending notifications, because DoD members are trained not to click on links coming from emails they don't recognize, the Washington Post reported.

Other government agencies were wary of the notifications too. Last week, an IT officer from the Department of Energy Oak Ridge National Laboratory sent an email to the lab's staffers to warn them that OPM had hired a contractor to send the notification emails, and that they'd be coming from a @csid.com address rather than an @opm.gov one, according to a copy of an email obtained by Motherboard.

"As always we should be wary of unexpected messages from unknown entities," the email from the IT officer at the Oak Ridge National Laboratory read.

This was a screw up, according to security experts.

"These emails absolutely look like phishing emails," said Lee, who, as an Air Force Cyber Warfare Officer and a PhD candidate researching cyber security at Kings College in London, could have been a victim of the hack.

Worse, OPM waited a month to start telling victims that they had been hacked and used a contractor to do it—something that, according to Lee, is "beyond negligent."

When asked why OPM didn't send the emails itself, Schumach, the spokesperson, said that he "honestly didn't know" the answer.

OPM could've done better in notifying victims, but it was also put in a tough, "catch-22" situation after it was hacked, according to Adrian Sanabria, a security analyst at at 451 Research.

"When the breach included all the contact information for people affected, how do you contact people about the breach and convince them you're not the bad guys?" he told Motherboard.

The security experts said that, ideally, OPM would have sent out an email from an OPM address with the full link to the sign up page provided by CSID, so that people could've copied and pasted it.

Michael L. AdamsJune 9, 2015

In any case, the money spent on the CSID contract could've been better spent preventing the breach, according to Lee.

"Organizations that are going to make the decision to hold on to sensitive information regarding other people's lives need to realize there is a cost associated in doing so," Lee said in an email. "That cost should be applied to actually doing security, not fumbling after a breach has occurred."

Furthermore, it's not even clear why OPM is simply offering credit monitoring in the first place, according to Chris Eng, vice president of research at Veracode and a former engineer at the NSA, and another potential victim (although he has not been notified yet either.)

In the case of the OPM breach, "the notion of credit monitoring rings a little bit hollow," he said.

"Someone who's after this type of information is not after signing up for credit," Eng, who still doesn't know whether he is among the victims, told Motherboard. "They're trying to find information about people that can be sensitive, that they can use to identify [targets] for blackmail or longer running operations."

Given all these mishaps, added to the fact that OPM doesn't know how much data was lost orhow many people are affected, have made people lose trust in OPM.

"OPM was a mess, is a mess," Scott Terban, a security researcher who was a government contractor when he worked for IBM, told me. "They cannot tell anyone how many records were taken because they can't know," he added, referring to an OPM Inspector General report that revealed that at one point OPM didn't even have an inventory of its systems and what computers and servers were connected to its network.

"I have little hope that they can do things properly," Sanabria said. "And it's not really a trust thing. I trust their intent to do the right thing. What I don't trust is their ability to."