SAN FRANCISCO — Millions of current and former U.S. Federal employees received an email Friday urging them to take exhaustive security precautions in the wake of the largest hack on the U.S. government in history.
The email, which includes tips such as “be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about you, your employees, your colleagues or any other internal information,” urges all federal employees to run a credit check to make sure their bank accounts or credit cards have not already been compromised.
Several current and former Federal employees who spoke to BuzzFeed News about the breach described a state of panic and confusion within their offices. The breach on the Office of Personnel Management (OPM), first disclosed last week, is already the largest breach in U.S. government history. The OPM said it was currently working with the FBI, as well as with other relevant bodies, to determine the extent of the breach, which could affect many more employees than originally disclosed.
Matthew Palmer, who recently quit his job at the State Department, said he did not receive the email but was notified by a colleague that he should “change every password ever created.”
“I basically vacillate between being really panicked and being really angry at the government that this information was not secured in some better way,” said Palmer. “Who is in danger? I listed friends on those forms and my family members… are some hackers going to start going after them?”
Palmer said that the email sent to federal employees Friday from the OPM read like a “panic button.”
“They are basically telling us to be suspicious of everything and just keep checking to see if someone steals our identity, but how is that an actual plan if millions of us were affected?” asked Palmer. The email, which included specific details on how the OPM would notify employees if their data was hacked, and how to verify the details of the sender was designed so it could not be forwarded – though it was just as easy to cut-and-paste the text of the message.
The email also includes warnings against phishing attacks, as well as false URL’s and strange attachments in emails.
“It just seems like a basic ‘101 to stay safe on the internet’ rather than a specific plan of actions,” said Palmer. “It’s been a week and we still have no idea what they are doing to protect us.”
While Palmer agreed to speak on record as he is no longer employed by the U.S. government, several other current federal employees only agreed to speak to BuzzFeed News if they could remain anonymous.
The government employees described being in a “collective panic” about the hack of their personal data.
“You don’t understand how detailed the forms are. It’s over a hundred pages of you listing everything about yourself – who you are sleeping with, who your friends are – it’s like a cheat sheet to your life,” said a State Department employee in Washington D.C. “I just went and changed my bank password because part of it was my elementary school’s name, and that name is in my file.”
The 117-page questionnaire that all federal employees must complete upon being hired asks detailed questions about a new employees personal and private life. The questions, intended to insure that the employees do not have a conflict of interest and to allow the government to vet those around them, can be found online.
“It just seems like if there was ever anything that you should protect, it would be these files,” said the State Department employee.
One U.S. diplomat, who only recently married the man he has been dating for over 10 years, said the breach was a “worst case scenario.”
“I worked in the Arab World a long time, so I always kept my private life private. My husband and I are now trying to figure out if I can continue my career here, or if we are no longer safe,” he told BuzzFeed News by phone, from a country in the Middle East, where he is currently stationed.
But not every State Department employee remains convinced of the severity of the breach. "We're sort of meh about it all," another current employee told BuzzFeed News after speaking with coworkers. "After five tours in high-to-critical threat intelligence risk posts, I figure pretty much every hostile government has my personal info, medical records, and sexual proclivities well figured out."
On Thursday, the President of the American Federation of Government Employees (AFGE) claimed that all federal employees and retirees, as well as one million former federal employees, had their personal information stolen in the OPM breach. The AP later ran a story quoting unnamed sources estimating that 14 million current and former U.S. government employees had their data exposed.
“Based on the sketchy information OPM has provided, we believe that the Central Personnel Data File was the targeted database, and that the hackers are now in possession of all personnel data for every federal employee, every federal retiree, and up to one million former federal employees,” wrote AFGE President J. David Cox. "We believe that hackers have every affected person’s Social Security number(s), military records and veterans’ status information, address, birth date, job and pay history, health insurance, life insurance, and pension information; age, gender, race union status, and more.”
Cox is not satisfied with the Federal government's current plan to offer those affected by the hack with 18 months of credit monitoring and up to $1 million liability, he told BuzzFeed News on Friday in a phone interview from Charlotte, NC. Since many of the employees in question depend on maintaining satisfactory credit scores to keep their government clearance, Cox said, a lifetime monitoring guarantee is the least OPM can offer.
"These people are smart enough to hack into [OPM's] systems," he said, "they're smart enough to wait 18 months before exploiting the information they took."
Read full email sent by Under Secretary of Management Pat Kennedy on June 12.
Colleagues:
This is an update to my previous e-mail of June 4th [repeated at the very end of this message.]
As was communicated last week, the U.S. Office of Personnel Management (OPM) recently became aware of a cybersecurity incident affecting its systems and data that may have exposed the Personally Identifiable Information (PII) of some current and former Federal employees. This email provides additional information regarding next steps for those affected State Department employees. But, every employee should read this email.
In the coming weeks, OPM will be sending notifications to individuals whose PII was potentially compromised in this incident. The email will come from [DELETED] and it will contain information regarding credit monitoring and identity theft protection services being provided to those Federal employees impacted by the data breach. In the event OPM does not have an email address for the individual on file, a standard letter will be sent via the U.S. Postal Service.
As a note of caution, confirm that the email you receive is, in fact, the official notification. It's possible that malicious groups may leverage this event to launch phishing attacks. To protect yourself, we encourage you to check the following:
1. Make sure the sender email address is [DELETED]
2. The email is sent exclusively to your work email address. No other individuals should be in the To, CC, or BCC fields.
3. The email subject should be exactly [DELETED]
4. Do not click on the included link. Instead, record the provided PIN code, open a web browser then manually type the URL {DELETED]. You can then use the provided instructions to enroll [DELETED].
5. The email should not contain any attachments. If it does, do not open them.
6. The email should not contain any requests for additional personal information.
7. The official email should look like the sample screenshot below.
Additional information has also been made available beginning on June 8, 2015 on the company’s website [DELETED].
Regardless of whether or not you receive this notification, employees should take extra care to ensure that they are following recommended cyber and personal security procedures. If you suspect that you have received a phishing attack, contact your agency’s security office.
In general, government employees are often frequent targets of “phishing” attacks, which are surreptitious approaches to stealing your identity, accessing official computer systems, running up bills in your name, or even committing crimes using your identity. Phishing schemes use e-mail or websites to trick you into disclosing personal and sensitive information.
We will continue to keep you advised of new developments regarding this cyber-security incident as we learn more from OPM. The following includes helpful information for monitoring your identity and financial information and precautions to help you avoid being a victim.
Steps for Monitoring Your Identity and Financial Information
Monitor financial account statements and immediately report any suspicious or unusual activity to financial institutions.
- Request a free credit report at www.AnnualCreditReport.com or by calling 1-877-322-8228. Consumers are entitled by law to one free credit report per year from each of the three major credit bureaus – Equifax®, Experian®, and TransUnion® – for a total of three reports every year. Contact information for the credit bureaus can be found on the Federal Trade Commission (FTC) website,www.ftc.gov.
- Review resources provided on the FTC identity theft website, www.Identitytheft.gov. The FTC maintains a variety of consumer publications providing comprehensive information on computer intrusions and identity theft.
- You may place a fraud alert on your credit file to let creditors know to contact you before opening a new account in your name. Simply call TransUnion® at 1-800-680-7289 to place this alert. TransUnion® will then notify the other two credit bureaus on your behalf.
Precautions to Help You Avoid Becoming a Victim
· Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about you, your employees, your colleagues or any other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.
· Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person’s authority to have the information.
· Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.
· Do not send sensitive information over the Internet before checking a website’s security (for more information, see Protecting Your Privacy).
· Pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).
· If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information. Information about known phishing attacks is also available online from groups such as the Anti-Phishing Working Group (http://www.antiphishing.org).
· Employees should take steps to monitor their personally identifiable information and report any suspected instances of identity theft to the FBI’s Internet Crime Complaint Center at www.ic3.gov.
· Additional information about preventative steps by consulting the Federal Trade Commission’s website,www.consumer.gov/idtheft. The FTC also encourages those who discover that their information has been misused to file a complaint with the commission using the contact information below.
Identity Theft Clearinghouse
Federal Trade Commission
600 Pennsylvania Avenue, NW
Washington, DC 20580
https://www.identitytheft.gov/
1-877-IDTHEFT (438-4338)
TDD: 1-202-326-2502
Hayes Brown contributed to this reporting from Washington.