But those e-mails have been met with increasing alarm by employees — along with retirees and former employees with personal data at risk — who worry that the communications may be a form of “spear phishing” used by adversaries to penetrate sensitive government computer systems.
After the Defense Department raised a red flag about the e-mails its 750,000 civilian employees were starting to receive, OPM officials said late Wednesday that the government had suspended its electronic notifications this week.
“We’ve seen such distrust and concerns about phishing,” OPM spokesman Sam Schumach acknowledged, describing the feedback from many of the 4.2 million current and former employees who are being notified that personnel files containing their Social Security numbers, addresses and other personal information may have been stolen.
Computer experts said the personnel agency — already under fire from lawmakers from both parties for failing to protect sensitive databases from hackers — could be putting federal systems in jeopardy again by asking employees to click on links in the e-mails.
“There’s a risk that you desensitize people by telling them that occasionally, there’s going to be a very important email you have to click on,” said Joseph Lorenzo Hall, chief technologist at the Center for Democracy & Technology.
He called OPM’s first round of e-mail transmissions the equivalent of “sending a postcard to people saying gee, you just got hacked, go to this website. The hackers could wise up and send their own set of fake identity protection e-mails and get into your computers all over again.”
That’s precisely what worried top Defense officials before the chief information officer of the government’s largest agency told OPM last week to suspend the notifications because they disregarded basic cybersecurity training that’s crucial to ensuring the safety of military networks: Never click on unfamiliar links, attachments or e-mail addresses because they expose employees to spear phishing attacks.
Defense offices across the country posted a bulletin in their internal communication networks from CIO Terry Halvorsen that said OPM was “suspending notification to DoD personnel that their [Personal Identifying Information] may have been breached until an improved, more secure notification and response process can be put in place..”
The notice continued:
“Recognizing that DOD personnel are trained not to open links embedded in emails not digitally signed and/or sent from unknown senders, DoD officials are working closely with other federal partners to establish notification procedures that will allow DoD personnel to reliably and confidently receive these notifications, and register for the benefits to which they are entitled.”
Employees across the government and their unions have raised concerns that the e-mails refer them to the Web site of a private company with a .com address instead of coming from a government domain. Even though they are given a PIN code, many people say they’re wary of giving a contractor their Social Security numbers, addresses and other information they need to provide to qualify for identity theft insurance and credit monitoring.
The contractor, CSID, resumed the e-mail notifications late Wednesday with a change designed to give employees more confidence that the communications are legitimate and the company’s Web site secure, Schumach said. They still have the option to click directly on a link to enroll in credit protection services, but now they can copy and paste the Web site address, https://www.csid.com/opm/ themselves, a more secure strategy.
“To alleviate the concerns of phishing, OPM and [the contractor] have made changes to email notifications by adding additional options for those who want to enroll in the [contractor’s] services directly from the email,” Schumach said. “Now, affected individuals will be able to not only click on the ‘Enroll Now’ button, but will also have the option to copy a non-hyperlink address so they know exactly what website they will be visiting.”
Despite the fixes, OPM’s credibility may still suffer. Director Katherine Archuleta was berated by Democrats and Republicans on Capitol Hill this week for what they called her serious negligence in failing to take long-recommended steps to secure the computer systems containing federal personnel records. Two top Republicans have called on her to resign.
“Even when they try to clean it up, they’re getting it wrong,” Christopher Soghoian, principal technologist for the American Civil Liberties Union, said of OPM’s response to the data breach. “A policy saying don’t send clickable links to employees is not rocket science. It’s cybersecurity 101.”
Officials are preparing to send a second round of notifications to millions of employees and contractors that the hackers also got access to their detailed personal histories.
Most federal agencies give their employees regular cybersecurity training. But with their computer systems an obvious target for cyber criminals, DOD civilians and active duty military get extensive instruction in how to store their information securely, create strong passwords and avoid exposing their networks to intruders. Some of the basic no-nos are opening links or attachments from senders they don’t know.
The danger in clicking unfamiliar links is that an employee will fall for a spear phishing scam, hitting bogus links that download malicious programs and infecting the company’s information-technology server.
J. David Cox Sr., president of the American Federation of Government Employees, the largest federal union, said in a statement, “Employees throughout the government need to be very cautious of opening any email that comes from unknown sources, since the hacking of OPM’s databases has made employees extra vulnerable to phishing schemes.”