Last April, the Office of Personnel Management discovered a breach in its databases that exposed the personal information of millions of its current and former employees, resulting in one of the worst hacks of 2015.
A recap of the breach
According to the Washington Post, Chinese hackers compromised data such as birth dates, home addresses, Social Security Numbers and even fingerprints. The New York Times reported that the hackers also swiped the names of Chinese families, friends and associates of diplomats – information that could be potentially used for blackmail.
“It gives the Chinese the ability to exploit those who are listed as foreign contacts,” James Lewis, cyberexpert at the Center for Strategic and International Studies, told the NY Times. “And if you are a Chinese person who didn’t report your contacts or relationships with an American, you may have a problem.”
The problems only worsened when OPM didn’t notify the millions affected in the incident until later that year. When the agency offered the victims services in credit and identity monitoring, insurance and identity-restoration to potentially repair the damages, some were upset by the gesture. According to the Washington Post, many also believed that the letters of notification they received were also attempts at fraud.
Their distrust was exacerbated while news of the breach emerged and many of its details remained unclear. Different sources reported contradicting numbers of potential victims, and, for awhile, it was uncertain who was responsible for uncovering the breach and what kind of information was exploited. Bloomberg reported that the breach impacted around 14 million people, but other sources have said it could be as much as 21 million.
Eventually, OPM admitted that its security strategy was to blame. The NY Times reported that most of the compromised data was never encrypted, though that effort might have still faltered in the face of these attacks.
Where are we now?
One year later, the breach is still making headlines. While he openly denies discovering the breach, Ben Cotton, the CEO of CyTech Services, was certainly a huge part of the recovery process for OPM. The problem, he said, is that he has yet to receive payment for his contribution, and now he’s taking action.
Cotton had been at OPM demonstrating CyTech’s security tool when the breach was discovered. In an interview with FCW, he said he stayed on board for an extra week and a half to help out, without signing any official paperwork. The agreement, according to Cotton, was more of a verbal one. As this situation has played out, the lack of documentation has turned into a huge mistake for Cotton.
Cotton estimated that his company is owed around $800,000 for the services it provided to OPM during their time of need. To make matters more interesting, OPM have denied Cotton’s claims and could file a charge under the False Claims Act, according to FCW. OPM also returned the server that Cotton had left there with all its data deleted, essentially erasing any evidence of Cotton’s involvement in the recovery process. With these developments, the case remains open and unresolved, just as it has for victims of the breach.
Whether or not your information was compromised in the OPM breach, it’s an important lesson that these incidents can strike anyone at any time. While OPM and other government agencies work to improve their security efforts, you can too. One way to do so is by investing in a monitoring service like Identity Guard, which can keep an eye on your credit files and your Social Security Number, and notify you of certain activity that may indicate fraud.