Federal employees' PII compromised: Learn to protect yourself

Photo By Keith Hayes | OPM logo read more read more

Photo By Keith Hayes | OPM logo  see less | View Image Page

BARSTOW, CA, UNITED STATES

06.11.2015

Story by Keith Hayes 

Marine Corps Logistics Base Barstow

✔ ✗ Subscribe

7

BARSTOW, Calif. - On June 4, 2015, the Office of Personnel Management reported that the personally identifiable information from as many as 4 million past and present federal employees was stolen or hacked from OPM computers.

An article on the FederalTimes.com website indicates the breach happened several weeks ago but was not revealed to the public until much later.

OPM detected the data breach in April, but waited until June 4 to announce it publicly. According to the announcement, the intrusion predated the office's adoption of tougher security controls.

An article from the USAToday. com website quotes U. S. Senator Susan Collins, a member of the Senate intelligence committee, as stating the hackers were believed to be based in China. Collins said the breach was “yet another indication of a foreign power probing successfully and focusing on what appears to be data that would identify people with security clearances.”

Preetika Celmer, Cyber Security Manager, S-6 Communications Department aboard Marine Corps Logistics Base Barstow, Calif., sent out a widest dissemination email to all MCLB Barstow employees on June 8, advising them of what some U.S. government officials have described as the largest data breach in OPM history, and steps they can take to protect their PII. The email reads, in part:

In order to mitigate the risk of fraud and identity theft, OPM is offering credit report access, credit monitoring and identity theft insurance and recovery services to potentially affected individuals through CSIDR, a company that specializes in these services. This comprehensive, 18-month membership includes credit monitoring and $1 million in identity theft protection services at no cost to enrollees.

Additionally, a May 29 email sent out to employees aboard MCLB Barstow claiming to be from the Navy Federal Credit Union was actually a “phishing” attempt. Phishing is a mass email scheme, purportedly from a legitimate company, to trick recipients into divulging personal information. The email, which originally bore the seemingly legitimate logo of the NFCU, reads in part:

We notice error on your Security mechanism and we have temporary disable the Security on your Online banking.
We urge you resolve this within 24hrs as we will have to terminate your online banking if this is not resolved before Midnight.

Celmer described this message as a textbook example of phishing which, in this instance, was identified by the base’s own email exchange server.

The computer security expert also described a way to keep such messages from getting to your inbox in the first place.

“You can also add these types of emails displaying misspelled words and links that are not familiar to you to your junk mail folder on Outlook to help filter out future phishing attempts.”

Celmer cautioned employees not to send suspected phishing messages to their personal email and opening them from there. “Forwarding the email to your own service is not a best practice. You are actively circumventing security measures and safeguards which could result in loss of PII.”

There is also a resource aboard the base that employees can use. “(Employees) can report spam to the Cyber Security Office at BSTWIAworkrequests@usmc.mil and we will identify the spam and work to mitigate the issue.”

Additionally, adding the known spam to your junk folder on your email page can help prevent these types of phishing. “Although it’s not always going to be the same email, sometimes you can identify some of the content to help filter out these phishing attempts,” she said.

Celmer encourages employees to check their credit ratings frequently during the year and report any charges or information they don’t recognize directly to the credit reporting agency. By law, these agencies are required to report any changes they make to the other two reporting organizations.

Protect yourself
1. Monitor financial statements and immediately report any suspicious or unusual activity to financial institutions.
• 2. Consumers are entitled by law to one free credit report per year from each of the three major credit bureaus — Equifax®, Experian®, and TransUnion® for a total of three reports every year.
• 3. Review resources provided on the FTC identity theft website www.identitytheft.gov.
• 4. You may place a fraud alert in your credit file to let creditors know to contact you before opening a new account in your name.

How to avoid being a victim
1. Be suspicious.
2. Do not provide PII about your organization, including its structure or networks, unless you are certain of a person's authority to have the information.
3. Do not reveal PII in emails, and do not respond to email solicitations for this information. This includes click-ing on links sent in email.
4. Do not send sensitive information over the Internet before checking a website's security.
5. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net), or redirect you to a malicious site.
6. Verify a suspicious email by contacting the company directly.
7. Install and maintain anti-virus software and firewalls.
8 Report any suspected instances of identity theft to the FBI's Internet Crime Complaint Center at www.ic3.gov.
9. Backup files regularly