Many Details of Computer Hack Still Undisclosed

Nearly three weeks after OPM disclosed that hackers had stolen from its computer systems records involving highly personal federal employee information that could be used for identity theft and other illegal purposes, many details remain undisclosed. The administration’s refusal to be more specific, citing security concerns of an ongoing investigation—which it continues to say could discover additional breaches—is resulting in growing frustration and anger among federal employees. For many of them, the notification emails sent over the last several weeks actually added to their concerns, since those messages came not directly from OPM but rather from a commercial address of a company under contract to OPM; they contain a small OPM logo but are not in the normal format of an OPM email. The emails further instructed recipients to click a live link to a non-governmental site and to enter information including their Social Security numbers (in order to sign up for free credit monitoring and other services being offered in response to the breach). Agencies including DoD objected that the emails were asking recipients to violate basic cyber safety practices that federal employees are supposed to follow, especially on government networks. Agencies in turn started sending their own emails explaining the OPM-sponsored emails, and advising employees to type in the online address of the contractor into a browser rather than click the live link, or to instead call the toll-free number provided. Some even instructed employees to stop forwarding the emails to their agency computer security department asking if they are legitimate, since those offices were being overwhelmed, nor forward them to anyone else since the emails included a personal identification number that itself could be compromised if forwarded. The original messaging was temporarily suspended pending a rewrite of the emails and it remains unclear when all potentially affected employees will get a notice. Despite assurances, another complication is that many employees say they are reluctant to provide their personal information to a contractor even once they are confident that the contractor is actually working for OPM.