Cybersecurity Incident Updates July-August


August 12, 2015
OPM Update

Dear Colleagues:

In the spirit of maintaining open communication, I want to update you on the steps we are taking to confront our cybersecurity challenges and to regain your trust in the IT systems that house your information.

Our team at OPM is working side-by-side with cybersecurity experts from across the Federal Government and from private industry, both to bolster the security of our systems and to ensure that the people affected by the recent incidents receive high quality service and information.

In the four weeks I’ve been at OPM, the agency has made important progress. The e-QIP system we use to process background information forms is back online and operating with enhanced security features. And, working with our interagency partners, we are developing the process for notifying the people affected by the background investigations intrusion and providing them with credit monitoring and identity theft services. We will announce details of that process in the near future. In the weeks following the award of the contract, the government will send notifications to the bulk of the individuals affected.  While we are committed to moving as quickly as practicable to get notifications out the door, we also must make these notifications in a secure manner. We recognize that building those protections into the notification process will take some extra time, but we believe this trade-off is worth it.  

We are continuously updating our online cybersecurity resource center at opm.gov/cybersecurity. We’ve added a “Recent Updates” section and a “Stay Informed” feature, which includes options to sign up for email alerts, links to OPM social media, and an RSS feed. And, OPM’s agency partners and outside organizations can now place a digital badge on their own websites that will link their users to the resource center.

The website also has valuable information about how to protect against identity theft and stay safe online. If you still have questions after browsing the website, please email us at cybersecurity@opm.gov. Our automated call center can be reached toll free at (866) 740-7153.

Feedback is important to us and vital to our success. I am committed to keeping the lines of communication open and will be writing regular blog posts and using other social media platforms, including Facebook and Twitter, to provide as much current information as possible.

We know we have much more work left to do and we are determined to meet the important challenges ahead. Even as cybersecurity remains a top priority, I am working every day with our talented team at OPM to fulfill the agency’s mission of supporting and providing exceptional and comprehensive service to our Federal family. From improving the hiring process, to developing first-class training and leadership programs, to helping agencies improve employee engagement across government, OPM will continue to be your partner.

Sincerely,

Beth Cobert
Acting Director
U.S. Office of Personnel Management

 


July 15, 2015
OPM Statement

Dear Colleagues,

I am writing to provide you with the latest information on the Office of Personnel Management (OPM) cybersecurity incidents (1. personnel records and 2. background investigation records) and some reminders about the steps you can take to monitor and protect your information moving forwar

It is our understanding that virtually all HHS employees are impacted by the incident involving personnel records.  OPM is offering credit restoration and monitoring services and other protections through CSID, a company that specializes in identity theft protection and fraud resolution.  Please note that CSID is working on the personnel records incident only and will not have further information about the background investigations records incident. All affected employees are automatically enrolled in identity theft insurance and identity restoration services – which means that, if your information was affected by the breach, you already are enrolled in these programs even if you have not yet contacted CSID. 

If you have not received a notification from OPM or CSID about your personnel records, or have misplaced the notification and have not contacted CSID to ensure you are covered by the identity protection offered by OPM, I urge you to contact CSID directly.  You can call the following phone number, where they will ask for your name, address and the last four digits of your Social Security Number for verification.  CSID Toll Free phone assistance: (844) 777-2743.  If you are affected, they will give you a PIN number that you must use on their website to sign up for protection.  You can access the CSID website here: https://www.csid.com/opm/.

In addition to providing identity protection services, OPM launched a new, online incident resource center, located at https://www.opm.gov/cybersecurity. The resource center offers up-to-date information regarding the OPM cybersecurity incidents as well as materials, training and useful information on best practices to secure data, protect against identity theft and stay safe online.  I encourage you to use this resource and, if you have questions after reviewing the website, or suggestions for additional content, please email: cybersecurity@opm.gov.

In the coming weeks, OPM will begin notifying people whose Social Security Number appeared on files impacted by the background investigation records incident.  OPM and the Department of Defense (DOD) will work with a private-sector firm specializing in credit and identity theft monitoring to provide services.  Notifications to those affected by this incident have not yet begun.

As additional information becomes available about these cybersecurity incidents, it will be posted on the HHS Intranet and sent to you by email.  Your patience and understanding are greatly appreciated as the Department of Health and Human Services works with OPM to provide you with the latest information about the steps we can take to help safeguard and protect our personal information.

E. J. Holland, Jr.

Assistant Secretary for Administration


 

July 9, 2015
Results of Forensics Investigation
Email from E.J. Holland, Jr., HHS Assistant Secretary for Administration

Dear Colleagues,

I am writing to provide an update on the recent cyber incidents at the U.S. Office of Personnel Management (OPM).  We are committed to providing you updates as soon as they are available and we are reaching out today to share updated information from OPM. The information below can be found on OPM’s new, online incident resource center – https://www.opm.gov/cybersecurity.  This site will offer information regarding the OPM incidents and will direct individuals to materials, training, and useful information on best practices to secure data, protect against identity theft, and stay safe online.  

Update from OPM:

Today, the U.S. Office of Personnel Management (OPM) announced the results of the interagency forensics investigation into a recent cyber incident involving Federal background investigation data and the steps it is taking to protect those impacted.  HHS and OPM will continue to provide additional information going forward. 

Background on the intrusion into OPM’s systems.  Since the end of 2013, OPM has undertaken an aggressive effort to upgrade the agency’s cybersecurity posture, adding numerous tools and capabilities to its various legacy networks.  As a direct result of these steps, OPM was able to identify two separate but related cybersecurity incidents on its systems. 

Today, OPM announced the results of the interagency forensic investigation into the second incident.  As previously announced, in late-May 2015, as a result of ongoing efforts to secure its systems, OPM discovered an incident affecting background investigation records of current, former, and prospective Federal employees and contractors.  Following the conclusion of the forensics investigation, OPM has determined that the types of information in these records include identification details such as Social Security Numbers; residency and educational history; employment history; information about immediate family and other personal and business acquaintances; health, criminal and financial history; and other details.  Some records also include findings from interviews conducted by background investigators and fingerprints.  Usernames and passwords that background investigation applicants used to fill out their background investigation forms were also stolen. 

While background investigation records do contain some information regarding mental health and financial history provided by those that have applied for a security clearance and by individuals contacted during the background investigation, there is no evidence that separate systems that store information regarding the health, financial, payroll and retirement records of Federal personnel were impacted by this incident (for example, annuity rolls, retirement records, USA JOBS, Employee Express).

This incident is separate but related to a previous incident, discovered in April 2015, affecting personnel data for current and former Federal employees.  OPM and its interagency partners concluded with a high degree of confidence that personnel data for 4.2 million individuals had been stolen.  This number has not changed since it was announced by OPM in early June, and OPM has worked to notify all of these individuals and ensure that they are provided with the appropriate support and tools to protect their personal information.

Analysis of background investigation incident.  Since learning of the incident affecting background investigation records, OPM and the interagency incident response team have moved swiftly and thoroughly to assess the breach, analyze what data may have been stolen, and identify those individuals who may be affected.  The team has now concluded with high confidence that sensitive information, including the Social Security Numbers (SSNs) of 21.5 million individuals, was stolen from the background investigation databases.  This includes 19.7 million individuals that applied for a background investigation, and 1.8 million non-applicants, predominantly spouses or co-habitants of applicants.  As noted above, some records also include findings from interviews conducted by background investigators and approximately 1.1 million include fingerprints.  There is no information at this time to suggest any misuse or further dissemination of the information that was stolen from OPM’s systems.

If an individual underwent a background investigation through OPM in 2000 or afterwards (which occurs through the submission of forms SF 86, SF 85, or SF 85P for a new investigation or periodic reinvestigation), it is highly likely that the individual is impacted by this cyber breach. If an individual underwent a background investigation prior to 2000, that individual still may be impacted, but it is less likely.

Assistance for impacted individuals.  OPM is also announcing the steps it is taking to protect those impacted:

  1. Providing a comprehensive suite of monitoring and protection services for background investigation applicants and non-applicants whose Social Security Numbers, and in many cases other sensitive information, were stolen – For the 21.5 million background investigation applicants, spouses or co-habitants with Social Security Numbers and other sensitive information that was stolen from OPM databases, OPM and the Department of Defense (DOD) will work with a private-sector firm specializing in credit and identity theft monitoring to provide services such as:
  • Full service identity restoration support and victim recovery assistance
  • Identity theft insurance
  • Identity monitoring for minor children
  • Continuous credit monitoring
  • Fraud monitoring services beyond credit files

The protections in this suite of services are tailored to address potential risks created by this particular incident, and will be provided for a period of at least 3 years, at no charge. 

In the coming weeks, OPM will begin to send notification packages to these individuals, which will provide details on the incident and information on how to access these services.  OPM will also provide educational materials and guidance to help them prevent identity theft, better secure their personal and work-related data, and become more generally informed about cyber threats and other risks presented by malicious actors.     

  1. Helping other individuals who had other information included on background investigation forms – Beyond background investigation applicants and their spouses or co-habitants described above, there are other individuals whose name, address, date of birth, or other similar information may have been listed on a background investigation form, but whose Social Security Numbers are not included.  These individuals could include immediate family members or other close contacts of the applicant.  In many cases, the information about these individuals is the same as information generally available in public forums, such as online directories or social media, and therefore the compromise of this information generally does not present the same level of risk of identity theft or other issues.

The notification package that will be sent to background investigation applicants will include detailed information that the applicant can provide to individuals he or she may have listed on a background investigation form.  This information will explain the types of data that may have been included on the form, best practices they can exercise to protect themselves, and the resources publicly available to address questions or concerns.

  1. Establishing an online cybersecurity incident resource center – Today, OPM launched a new, online incident resource center - located at https://www.opm.gov/cybersecurity - to offer information regarding the OPM incidents as well as direct individuals to materials, training, and useful information on best practices to secure data, protect against identity theft, and stay safe online.  This resource site will be regularly updated with the most recent information about both the personnel records and background investigation incidents, responses to frequently asked questions, and tools that can help guard against emerging cyber threats.
  1. Establishing a call center to respond to questions – In the coming weeks, a call center will be opened to respond to questions and provide more information.  In the interim, individuals are encouraged to visit https://www.opm.gov/cybersecurity.  Individuals will not be able to receive personalized information until notifications begin and the call center is opened.  OPM recognizes that it is important to be able to provide individual assistance to those that reach out with questions, and will work with its partners to establish this call center as quickly as possible.
  1. Protecting all Federal employees – In the coming months, the Administration will work with Federal employee representatives and other stakeholders to develop a proposal for the types of credit and identity theft monitoring services that should be provided to all Federal employees in the future – regardless of whether they have been affected by this incident – to ensure their personal information is always protected.

In conclusion, I want you to know that I am as concerned about these incidents as you are, and we want to ensure you that we are in constant contact with OPM. HHS’s entire leadership is committed to providing you with the most recent resources and support. Thank you. 

E.J. Holland, Jr.

HHS Assistant Secretary for Administration

 


July 6, 2015
OPM Statement

Dear Colleagues,

I am writing to provide an update on the recent cyber incidents at the U.S. Office of Personnel Management (OPM).  OPM is working hard to improve customer service, complete its forensics effort, and to conduct a comprehensive IT systems review.  Many of your questions and concerns about these incidents are addressed here.

Personnel Records Incident

First, OPM is working to complete the process of notifying individuals whose personally identifiable information (PII) may have been compromised by the incident involving personnel records announced on June 4th.  All notices will be sent by letter or email.  Notification letters are being sent by first class mail to those individuals from whom an email bounce back message was received.

OPM is offering credit monitoring services and identity theft insurance with CSID, a company that specializes in identity theft protection and fraud resolution. All affected employees are automatically enrolled for a comprehensive, 18-month membership, whether or not they have yet received a notice from OPM.  For more information on the CSID services and for contact information, please visit this HHS Intranet webpage: http://intranet.hhs.gov/security/ossi-cyber-incident.html

We have heard your concerns regarding these notifications and CSID’s customer service – and HHS has been working with OPM to improve the quality of your experience.  We understand that many of you are concerned about providing PII to CSID to register for this service.  OPM has confirmed that it is not possible for CSID to provide credit monitoring services without your Social Security Number, but that you will still receive identity theft protection even if you do not register. 

Background Investigation Incident

Second, regarding the separate but related cyber incident affecting background investigations announced on June 15th, we understand that many of you are concerned and are seeking more information.  This incident remains under investigation by OPM, the Department of Homeland Security (DHS), and the Federal Bureau of Investigation (FBI).  The investigators are working to determine the complete list of affected individuals.  Once this information is available, OPM will coordinate with agencies to send notifications to those affected individuals as soon as possible, but this will take some time.  We expect to provide information regarding affected individuals and our notification process during the week of July 6th.

E-QIP Suspension

OPM recently announced the temporary suspension of the E-QIP system, a web-based platform used to complete and submit background investigation forms. The suspension is to enable OPM to implement vulnerability mitigation.  The actions OPM has taken are not the direct result of malicious activity on its network, and there is no evidence that the vulnerability in question has been exploited. Rather, OPM is taking this step proactively, as a result of its comprehensive security assessment, to ensure the ongoing security of its network.  OPM expects e-QIP could be offline for four to six weeks while these security enhancements are implemented.  It is unlikely that this situation will affect many current employees.  In the unlikely event it does, individuals affected will be contacted directly by your HHS division representative.

Resources for You

OPM also continues to update their Frequently Asked Questions which you can find here: http://www.opm.gov/cybersecurity

We encourage you to review OPM Director Katherine Archuleta’s recent blog which also addresses many of these concerns: 

http://www.opm.gov/blogs/Director. OPM is the definitive source for information on the recent cyber incidents and we will continue to update you as we learn more information.

Personal Safety and Cybersecurity Reminders

The following are also some key reminders of the seriousness of cyber threats and of the importance of vigilance in protecting our systems and data.

Safety of Personal Information Resources from National Counterintelligence and Security Center:

  • Employees can find information about the measures they can take to ensure the safety of their personal information at the National Counterintelligence and Security Center (NCSC) at http://www.ncsc.gov

Steps for Monitoring Your Identity and Financial Information

  • Monitor financial account statements and immediately report any suspicious or unusual activity to financial institutions.
  • Request a free credit report at http://www.annualcreditreport.com/ or by calling 1-877-322-8228.  Consumers are entitled by law to one free credit report per year from each of the three major credit bureaus – Equifax®, Experian®, and TransUnion® – for a total of three reports every year.  Contact information for the credit bureaus can be found on the Federal Trade Commission (FTC) website, http://www.ftc.gov/.
  • Review resources provided on the FTC identity theft website, http://www.identitytheft.gov/.  The FTC maintains a variety of consumer publications providing comprehensive information on computer intrusions and identity theft.
  • You may place a fraud alert on your credit file to let creditors know to contact you before opening a new account in your name.  Simply call TransUnion® at 1-800-680-7289 to place this alert.  TransUnion® will then notify the other two credit bureaus on your behalf.

Precautions to Help You Avoid Becoming a Victim

  • Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about you, your employees, your colleagues or any other internal information.  If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.
  • Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person’s authority to have the information.
  • Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.
  • Do not send sensitive information over the Internet before checking a website’s security (for more information, see Protecting Your Privacy, http://www.us-cert.gov/ncas/tips/ST04-013).
  • Pay attention to the URL of a website.  Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).
  • If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly.  Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information.  Information about known phishing attacks is also available online from groups such as the Anti-Phishing Working Group (http://www.antiphishing.org).
  • Install and maintain anti-virus software, firewalls, and email filters to reduce some of this traffic (for more information, see Understanding Firewalls, http://www.us-cert.gov/ncas/tips/ST04-004; Understanding Anti-Virus Software, http://www.us-cert.gov/ncas/tips/ST04-005; and Reducing Spam, http://www.us-cert.gov/ncas/tips/ST04-007).
  • Take advantage of any anti-phishing features offered by your email client and web browser.
  • Employees should take steps to monitor their personally identifiable information and report any suspected instances of identity theft to the FBI’s Internet Crime Complaint Center at http://www.ic3.gov/.
  • Additional information about preventative steps by consulting the Federal Trade Commission’s website, http://www.consumer.gov/idtheft. The FTC also encourages those who discover that their information has been misused to file a complaint with the commission using the contact information below.

Identity Theft Clearinghouse
Federal Trade Commission
600 Pennsylvania Avenue, NW
Washington, DC 20580
https://www.identitytheft.gov/
1-877-IDTHEFT (438-4338)
TDD: 1-202-326-2502

If you have questions or comments regarding the content above, please contact the sponsoring organization listed.  If you have accessibility issues with any of the linked content in this e-blast, please notify ASPA/DCD (http://wcdapps.hhs.gov/AccessibilityAssistance/).

*Please note you are receiving this email because you are using an email account supported by the Department of Health and Human Services.  HHS News cannot remove you from this email list.  Please do not respond to this email.  If you have questions or comments regarding the content above, please contact the sponsoring organization listed.  If you would like to submit a message for HHS News dispersal, please email HHS.News@hhs.gov.  Thank you.

Date Last Reviewed:  April 2017