The Office of Personnel Management (OPM) announced it has changed its privacy regulations in order to allow investigators to probe its databases for security vulnerabilities. The change follows the discovery of “significant entryways” for adversaries in at least three databases, Nextgov reports. The move does open up systems that contain medical files and more than 40 additional record types. (See the sidebar for more details.)
The privacy rule changes also allow external agencies, other contractors—including CSID, the company currently notifying 4.2 million individuals of the first hack—and any “appropriate persons and entities” to access OPM systems for investigatory purposes.
Odia Kagan, CIPP/E, CIPP/US, CIPM, an attorney at Ballard Spahr, said “OPM has been under close scrutiny in the aftermath of the breach, including with respect to the time it took to notify individuals.”
According to a National Journal report, the Obama administration is looking to hire a new contractor to help notify and provide identity-theft protection services for victims of the second OPM hack affecting 21.5 million individuals but isn’t expected to hire one until mid-August. The report also states CSID may face competition for the contract from other large fraud-protection services, including LifeLock. However, to throw a wrench in things, LifeLock is now facing Federal Trade Commission charges that it violated its 2010 deception settlement.
The formal process for acquiring a new contractor started last Thursday when the General Services Administration posted a request for information for the position. A preliminary timeline points to Friday, August 14, as a possible date for awarding the contract, with notifications beginning the following week.
Last week, CSID President Joe Ross defended his company’s work in notifying the first set of OPM hacking victims. He said CSID is poised to scale their services for the much bigger pool of 21.5 million victims. “We have the daily standups with OPM on a daily basis,” he said, “we’ve got the reporting in place, so the scalability is the key. If it was to come down to the next 21.5 (million), it’s just that we’re positioned to scale.”
OPM is also requesting that other federal agencies help pay for the credit-monitoring services it will offer to the victims of the second hack. Acting OPM Director Beth Cobert said, “Given the limited resources available to OPM at this time to deal with a contract of this size, agencies will be asked to contribute FY 2015 funding to cover the first full year’s costs of credit monitoring and related services/benefits for the second incident involving 21.5 million individuals.”
The agency also plans to raise its fees for security clearance services.
Additionally, lawmakers are asking the Government Accountability Office (GAO) to review and provide a report on the effectiveness of credit-monitoring and identity-theft protection services. In a letter to GAO Comptroller General Gene Dodardo, Reps. Fred Upton (R-MI) and Frank Pallone (D-NJ) wrote, “Questions have been raised … about the usefulness and adequacy of credit-monitoring services in protecting victims’ credit following a breach.” They also query whether such services potentially make personal information vulnerable for future exposure.
Alarmingly, there are also concerns that adversaries may have altered security clearance background information on individuals in the OPM systems. According to Nextgov, the Obama administration did not confirm or deny whether it was able to check the integrity of the compromised records.
Last week, GAO Director Gregory Wilshusen said “the integrity of the information can be even more problematic for the agencies” if it’s not accurate. For example, an adversary could “insert some new information or a new record,” he said. “That’s a big problem, and it’s often not getting a lot of attention.”
Former CIA operative Valerie Plame, who herself was outed as an undercover operative during the political tumult of the George W. Bush presidency, said the “OPM breach is absolutely catastrophic for our national security.” The attackers, she added, “are going to be able to exploit this data for decades.”
Blame for the massive intrusions has not been forthcoming from the Obama administration. According to The Washington Post, the White House has decided to not publicly blame China for the attacks, though the nation is widely believed to be involved. One White House official hinted that such blaming could potentially expose counteroffensive efforts by the U.S.
One U.S. security official asked, “If you start trying to indict members of their intelligence service for conducting this type of espionage, what’s the response going to be? Are they going to start to indict NSA guys?”
If you want to comment on this post, you need to login.