​Phishing e-mail delays OPM hack remediation efforts

The Office of Personnel Management briefly delayed offering credit monitoring and identity protection to employees whose records have been stolen after they discovered an almost identical phishing letter making the rounds.

After the Office of Personnel Management (OPM) break-in, which lead to millions of federal employees personnel records being stolen, the OPM informed employees of a credit and identity protection plan for them. These notices were quickly duplicated by a hacker and used to sent phishing e-mails.

In phishing, the email sender tries to trick users into handing over account logins and other personal information. The first legitimate messages, from the OPM's contractor -- identity protection company CSID -- came with links for individuals to sign up for credit monitoring and other identity protection.

In both the real and fake messages, employees were promised that they would receive a "complimentary subscription to CSID Protector Plus for 18 months. Every affected individual, regardless of whether or not they explicitly take action to enroll, will have $1 million of identity theft insurance and access to full-service identity restoration provided by CSID until 12/7/16."

The OPM began sending out these email notifications on Monday, June 8 using the vanilla email address (opmcio@csid.com). These initial messages told recipients to click on an embedded link to register for their credit monitoring services. Of course no one should open links embedded in emails that are not digitally signed and/or come from unknown senders, but that doesn't stop people.

This, as The Washington Post reported, alarmed many security-savvy federal employees. They were afraid that those first real messages were actually phishing e-mails.

And, why shouldn't they? The OPM hack had already put their Social Security numbers, addresses and other personal information into hackers' hands.

It turned out they had every reason to be afraid. According to multiple Federal government sources, phishing messages appeared almost immediately after the real messages were sent.

Some users, however, did start to login but discovered that the data-entry page wasn't actually secured by a proper Secure Sockets Layer (SSL) certificate. They stopped before entering their data. It seems all too likely though that some people continued on and gave hackers the golden ticket of all their vital personal information.

One senior official said that Department of Defense (DoD) security believes the original OPM hackers obtained a copy of the real CSID announcement e-mail and modified it for their own criminal purposes. It was because of this actual attack, and the e-mail notification's poor design, that on June 15 over internal networks, the DoD announced, "THE DEPARTMENT OF DEFENSE, WITH OPM AND CSID SUPPORT, HAS SUSPENDED FURTHER NOTIFICATIONS TO DOD PERSONNEL UNTIL AN IMPROVED, MORE SECURE NOTIFICATION AND RESPONSE PROCESS IS IN PLACE."

It's little short of appalling that for a week the OPM sent out emails telling recipients to click on an embedded link to register for their credit monitoring services. This opened the door wide for phishing attacks.

The DoD has suspended employee notifications "until an improved, more secure notification and response process is in place." Hopefully, sooner rather than later, a more secure notification procedure will be set up to allow DOD personnel to reliably receive notifications, and register for their full privacy benefits .

According to the DoD public notice, OPM will be notifying about four million federal civilians that they'll need credit and identity protection. Those affected are "current and former Federal, including DOD, personnel."

OPM spokesman Sam Schumach suggests that former and current employees who have reason to believe their data was revealed in the hack copy and paste the Web site address, https://www.csid.com/opm/ to start their protection.

OPM has a lot more work to do before government employees can consider their records secure. For example, the DoD announcement suggests that additional information on the CSID letter can be found on an OPM FAQ page. That page, http://www.opm.gov/faqs/topic/cybersecurityinformation/, doesn't currently exist.

Related Stories: