Five Months After the OPM Attack.

Katherine-Archuleta-Reuters-500x293.jpg

U.S. Office of Personnel Management (OPM) Director Katherine Archuleta rubs her eyes, as she testifies before a House Committee on Oversight and Government


The 21.5 million victims of the largest known breach of federal personnel data will begin receiving notifications at the end of September five months after the government first discovered the incident.
 
In announcing an initial $133 million award for protection services to a company called "ID Experts," US officials said they proceeded with caution to ensure they do not further inconvenience victims. The government plans to offer three years of credit and identity-protection services to impacted personnel, which brings the total value of the contract through December 2018 to more than $329.8 million.

While notices detailing the safeguards will not be sent until the end of the month, affected individuals are covered as of Tuesday, Office of Personnel Management officials said. The attack struck databases maintained by OPM.
Brokering a breach response contract "is something that has taken some time, because we want to do it right,” OPM Acting Director Beth Cobert said in a Tuesday evening call with reporters.
“And we also want to make sure that in the context of the notifications, we don't create any more national security issues than we have through the data that was stolen," she said. "As somebody whose data was stolen in this incident as well as in the previous one, I can understand the frustration that people feel. But we want to make sure that we're doing this right." 
The resources available, as previously announced, include credit monitoring, ID theft monitoring, ID theft insurance and ID restoration services for three years.

The giant hack, allegedly linked to Chinese spies, compromised the personal security of millions of past and present federal employees, personnel applying for "clearances" to handle classified secrets, and their family members. Clearance forms detail the medical histories, sex lives and other sensitive details of government officials who now could be subjected to blackmail, security experts say.

Portland-based I.D. Experts specializes in, among other things, medical identity theft, and the company was tapped by UCLA Health System in July to protect 4.5 million patients affected by a network breach there.
Experts familiar with the national security implications of the government data stolen helped OPM decide which protections to offer, officials said.
OPM “concluded that this was the appropriate set of services to offer for individuals given what has been taken," Cobert said.

Some of the 4.2 million victims of a smaller, related hack of personnel records complained that notifications received in response to that incident looked like malicious emails. The notifications, sent by contractor CSID, came from a dot-com email address and contained a link to a commercial website. This time, email notifications will come from either a dot-mil or dot-gov address, Cobert said.

The Defense Department -- instead of the contractor -- will be alerting all victims this go-round, officials added.
"We have the infrastructure and the logistics system to be able to accommodate such a massive notification," said Rear Adm. Althea "Allie" Coetzee, principal deputy for defense procurement and acquisition policy. "We believed that it would be a lot better handled and managed if one entity handled it -- coming from a government entity as opposed to a contractor.”
Notification by contractor "was definitely not part of the scope of work" of the contract, she added.
Security controls on the vendors’ own systems was a consideration during the vetting process, officials said.
OPM conferred with a team of cybersecurity, privacy, contracting and legal experts from agencies across the federal government, including the Pentagon and Federal Trade Commission, to help develop security provisions.
Companies competing for the project all submitted formal security plans as a part of their proposals. The government has a right to enter I.D. Experts’ facilities to make sure safeguards comply with the contract specifications, officials said.
"We got the expertise from several different perspectives and through that, we believe that we have the best security protections that are available currently," Cobert said.

The General Services Administration on Tuesday also announced winners of a $500 million five-year award to handle ID protection services for government breaches going forward.

Along with I.D. Experts, agreements were also inked with Bearak Reports, also known as "Identity Force," and Ladlas Prince. Services for OPM victims were purchased through the blanket deal.
Nextgov: http://bit.ly/1USONuS

 

« Russia & China Use Hacked Databases to Find US Spies
North Korean Leader Has His Own Cellular Network »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Pondurance

Pondurance

Pondurance is an IT Security and Compliance company providing services in Cyber Security, Continuity, Compliance and Threat Management.

ThaiCERT

ThaiCERT

ThaiCERT is the national Computer Security Incident Response Team (CSIRT) for Thailand.

Cybersixgill

Cybersixgill

Cybersixgill was founded with a single mission: to protect organizations against malicious cyber attacks that come from the deep and dark web, before they materialize.

CyberSure

CyberSure

CyberSure is a programme of collaborations and exchanges between researchers aimed at developing a framework for creating and managing cyber insurance policy for cyber systems.

A-LIGN

A-LIGN

A-LIGN is a technology-enabled security and compliance partner trusted by more than 2,500 global organizations to mitigate cybersecurity risks.

Red Snapper Recruitment

Red Snapper Recruitment

Red Snapper Recruitment is a market leading staffing services provider to the law enforcement, cyber security, offender supervision and regulatory services markets.

Altipeak Security

Altipeak Security

Altipeak Security provide Safewalk - a flexible and robust authentication platform through which we offer improved security to SMBs, corporates, banks, insurance companies, healthcare and more.

Dataprovider.com

Dataprovider.com

Our Brand Protection Suite gives you the tools to discover trademark infringement on the Internet, such as websites selling counterfeit products, even when this is not immediately noticeable.

Red Piranha

Red Piranha

Red Piranha's Crystal Eye Unified Threat Management Platform is designed for Managed Service Providers and corporations that need extreme security that is both easy to use and affordable.

Texas A&M Cybersecurity Center

Texas A&M Cybersecurity Center

Texas A&M Cybersecurity Center is dedicated to combating adversaries who desire to harm our citizens, our government, and our industry through cyber-attacks.

Pacific Global Security Group

Pacific Global Security Group

Pacific Global Security Group offers an intelligence-driven focus on all aspects of cybersecurity for IT/ICS/OT.

Techstep

Techstep

Techstep is a complete mobile technology enabler, making positive changes to the world of work; freeing people to work more effectively, securely and sustainably.

BAE Systems

BAE Systems

BAE Systems develop, engineer, manufacture, and support products and systems to deliver military capability, protect national security, and keep critical information and infrastructure secure.

SNC-Lavalin

SNC-Lavalin

SNC-Lavalin is a fully integrated professional services and project management company with offices around the world.

Elba

Elba

Employee security needs to be reinvented. SaaS security needs to involve end-user and awareness needs to be actionable. Meet elba, the 5-in-one cybersecurity hub with no compromises.

QANplatform

QANplatform

QANplatform is a Quantum-resistant hybrid blockchain platform.