We're moving into science-fiction disaster territory as the U.S. Office of Personnel Management (OPM) admits that more than 22 million employees personal records have been stolen. But, the OPM has a new, improved plan to protect their records.
This 22 million number is even higher than the FBI's leaked 18 million figure. On an OPM site, the agency revealed the most likely victims are those who "underwent a background investigation through OPM in 2000 or afterwards."
In short, if you filled out a form SF-86, Questionnaire for National Security Positions; SF-85, Questionnaire for Non-Sensitive Positions; or SF-85P, Questionnaire for Public Trust Positions, your records are toast. Or, as OPM put it, "it is highly likely that you are impacted by the incident involving background investigations. If you underwent a background investigation prior to 2000, you still may be impacted, but it is less likely."
Before we get into the details of the plan that's to make this all better, you should know what's been revealed. These "records include identification details such as Social Security Numbers; residency and educational history; employment history; information about immediate family and other personal and business acquaintances; health, criminal and financial history; and other details."
Other details? Some records included mental health and financial history findings from security background investigators and fingerprints. The OPM breach was already the worst of all time, and the more we learn about it, the worse it looks.
Earlier, when the OPM was admitting that "only" 4 million personnel records were stolen, the OPM came up with a quick plan to secure their identities and finances. This remediation plan was fatally flawed from the start
So, now with tens-of-millions more people exposed, here's the new plan.
1. Provide a comprehensive suite of monitoring and protection services for applicants and non-applicants whose sensitive information were stolen. This will cover the 21.5 million background investigation applicants, spouses or co-habitants with SSN and other sensitive information stolen from OPM databases. The OPM and the Department of Defense (DoD) will work with a private-sector firm specializing in credit and identity theft monitoring to provide services such as:
- Full service identity restoration support and victim recovery assistance
- Identity theft insurance
- Identity monitoring for minor children
- Continuous credit monitoring
- Fraud monitoring services beyond credit files
The OPM and DoD have not revealed what company will do this work. This protection will be provided for a period of at least three years, at no charge.
In the coming weeks, OPM will begin to send notification packages to these individuals, which will provide details on the incident and information on how to access these services. Sources at DoD said that these packages will not be sent via e-mail. The improper use of e-mail was one of the flaws in the first attempt to provide protection for government employees.
2. Help individuals included on background investigation forms. The OPM will also provide a package that affected individuals can share with people who were mentioned on their background investigation forms,
This package will explain the types of data that your families and friends may have had revealed on the form. It includes best practices they can exercise to protect themselves. Almost all of this data is the kind of thing you could find on someone's social network sites.
3. Establish an online cybersecurity incident resource center. OPM has launched a new, online incident resource center: Information about OPM Cybersecurity Incidents
This is a FAQ site for impacted individuals.
4. Establish a call center to respond to questions. In the coming weeks, a call center will be opened to respond to questions and provide more information.
Finally, barring the barn doors after the horses are out: "In the coming months, the Administration will work with Federal employee representatives and other stakeholders to develop a proposal for the types of credit and identity theft monitoring services that should be provided to all Federal employees in the future -- regardless of whether they have been affected by this incident -- to ensure their personal information is always protected."