Many Epsilon employees, myself included, were among the 22.1 Million people to have their privacy compromised by the Office of Personnel Management data breach. For those unfamiliar with the breach, OPM’s records on millions of federal employees, applicants, and contractors who received or sought a security clearance prior to June 2015 have been stolen.
In addition to the usual information used to verify identity, open a bank account, or apply for a loan, OPM stores employment history, drivers license and passport information, social security numbers for close family, names and contact information for friends and coworkers, notes from investigators, fingerprints, and detailed medical and lifestyle history for many of these individuals. In short, the information that was stolen is a pretty good summary of all of the details that you would NOT want someone to know about you. In addition to being used for identity theft, this information could be used to impersonate a friend or loved one, for blackmail, or even, theoretically, to frame someone for a crime.
For those who had their data compromised, the notification letter from OPM that many of us received recently offers little solace. In this letter, OPM details how they contracted with a company called ID Experts (for $133M) to provide identity theft protection services including insurance, monitoring, and restoration services to affected individuals and their dependents under 18 years old. This three years of coverage will, in theory, protect my daughter’s identity until she is nearly 10 years old—but leaves her vulnerable to identity theft due to this incident for the rest of her life.
Michael Taylor, our Cyber Security Expert, presented some even more disturbing findings from his experience in attempting to register for the OPM sanctioned identity protection services. Specifically, he discovered that four out of the five identification verification questions requested information that would either be directly available to, or easily inferred from, the information obtained by the hackers who stole our information from OPM. Worse, individuals cannot change these questions to something that the hackers would not know—which is an industry best practice. Additionally, the site only allows up to a fifteen-character password. In this day and age, fifteen character passwords are considered insufficient for security since inexperienced hackers can gain access to accounts with this low level of protection in a matter of a couple hours.
In other words, the monitoring service offered by MyIDCare could easily be bypassed with no additional information other than what attackers already possess. What’s more is that MyIDCare prompts the user to enter even more sensitive information such as bank and credit card information and social media account information, in order to monitor these services. This means that a hacker could use the flaw in their verification system to easily obtain direct access to even more damaging information, while simultaneously disabling the protection mechanism that would alert the victim of the identity theft event.
So, what is there to do if this affects you or someone you care about?
First, reach out directly to the folks at MyIDCare and encourage them to revisit their security best practices and allow end users to choose their own security challenge questions. Additionally, we believe they should add a notice to the dedicated registration page for OPM victims that reminds them not to provide any information that would be available to OPM hackers as a part of their security challenge questions.
Second, in addition to taking basic identity protection precautions (there are exhaustive resources publicly available on this topic, so I will not cover it here) explore alternate methods of securing your financial identity. For example, back in June the Federal Trade Commission recommended placing a credit freeze with all three bureaus and provided instruction on how to do so here. The cost is minimal, but a credit freeze generally prevents someone from opening an account in your name because the issuing bank will not be able to run a credit report without your consent. While this method does not monitor current accounts, it also does not create an additional information repository that is vulnerable to attack.