The database that was hacked may include much more information, but OPM has not disclosed whether payroll data or other financial records were exposed.
The Pentagon’s military and civilian payroll systems were not part of the system that was hacked, said Thomas Larock, a Pentagon spokesman. The military pays service members through a separate system known as Defense Finance and Accounting Services (DFAS). Also, OPM spokesman Sam Schumach said Friday that federal contractors are not affected unless they have prior federal service.
Personal information used for background investigations for civilian security clearances is stored separately from personnel files and is not on the same network affected by the intrusion.
OPM has told federal employees that from June 8 to June 19, the agency plans to send them e-mails notifying them that their personal information may have been compromised. The 4 million current employees and retirees will be offered free credit monitoring services and identity theft insurance with CSID, a private company. Everyone will be eligible for 18-month memberships that include credit report access, credit monitoring, identity theft insurance and recovery services.
But the agency and outside information security experts also say employees and retirees can monitor themselves to try to detect malicious activity. The personal information that’s been exposed, for example, could let the criminal craft “spear-phishing” e-mails, which are designed to fool those who receive them into opening a link or an attachment so that the hacker can gain access to computer systems. Using the stolen OPM data, for instance, a hacker might send a fake e-mail purporting to be from a colleague at work.
Here’s some guidance for federal employees and retirees:
- Don’t answer unsolicited phone calls, in-person visits or e-mails from anyone asking about federal employees or other internal information in your agency.
- Don’t provide personal information or any information about your agency or how it’s organized to anyone unless you know them or have verified that they’re legitimate.
- Don’t reveal your personal or financial information in e-mail — and don’t follow links sent through e-mail.
- Do not send sensitive information over the Internet before checking a Web site’s security.
- Pay attention to the URL of a Web site. Malicious Web sites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).
- If you’re unsure whether an e-mail request is legitimate, try to verify it by contacting the sender directly. Don’t use contact information provided on a Web site connected to the request — instead check previous statements for contact information. Information about known phishing attacks is also available online from groups such as the Anti-Phishing Working Group.
- Install and maintain anti-virus software, firewalls and e-mail filters to reduce some of this traffic (for more information, see Understanding Firewalls; Understanding Anti-Virus Software; and Reducing Spam.
- Take advantage of any anti-phishing features offered by your agency.
- Monitor your checking and other financial accounts, and immediately report any suspicious or unusual activity to your bank.
- Request a free credit report at www.AnnualCreditReport.com or by calling 1-877-322-8228. You’re entitled by law to one free credit report per year from each of the three major credit bureaus. Contact information for the credit bureaus can be found on the Federal Trade Commission (FTC) Web site, www.ftc.gov.
- Review the FTC identity theft Web site, www.identitytheft.gov. The agency lists a variety of consumer publications that have a lot of information on computer intrusions and identity theft.
- Consider playing a fraud alert on your credit file to let creditors know to contact you before opening a new account in your name. Simply call TransUnion® at 1-800-680-7289 to place this alert. TransUnion® will then notify the other two credit bureaus on your behalf.