Today, the Office of Personnel Management will start notifying the roughly 4 million current and former federal employees whose personal information was compromised in the major breach disclosed last week. The notifications are scheduled to continue through June 19.
But some are raising questions about the way the government is reaching out to the people whose information was breached -- and how it will make sure everyone affected by the cyberattack gets the information they need to respond to the added threats they now face.
The first wave of notifications will land in their e-mail inboxes -- a move that has some security experts puzzled. "The email will come from email@example.com and it will contain information regarding credit monitoring and identity theft protection services being provided to those Federal employees impacted by the data breach," the agency said last week.
"OPM should mail letters, not send emails," said Richard Bejtlich, chief security strategist at the cybersecurity firm FireEye and a Brookings Institution senior fellow, on Twitter. "Victims likely to be phished next."
So-called phishing, or spearphishing, attacks -- in which cybercriminals send e-mails designed to trick recipients into handing over sensitive information, downloading a file or clicking a link that installs malicious software that can take over computers -- are common in the wake of major hacks. An attacker with access to stolen data may craft an e-mail so personalized it's hard to tell it from the real thing.
Other cybercriminals may try to take advantage of the situation, too. "Spammers who are not directly involved often try to co-opt major public events -- sending out massive amounts of e-mail in the hopes that they hit someone eager for information about it," said Scott Montgomery, vice president and chief technology strategist for Intel Security.
OPM itself warned about phishing scams in advice about how to "avoid becoming a victim" in the wake of the breach. The agency did not directly respond to a question about its decision to use e-mail to notify affected individuals.
But e-mail is probably OPM's best notification option, Montgomery said, even if former and current government employees may be wary of e-mails given the digital nature of the breach. E-mail is the most cost-effective, quickest way for OPM to reach out to consumers, he said.
If, that is, OPM actually has e-mail addresses for everyone affected.
The data compromised in the breach spans years, maybe even decades, according to media reports. Reuters, for instance, quotes a source saying that the hacked information goes back to 1985 -- long before consumer Internet and e-mail came into vogue. And even if they have an e-mail address on file, it might not be up to date.
OPM does have a backup plan: "In the event OPM does not have an email address for the individual on file, a standard letter will be sent via the U.S. Postal Service," it said on its Web site.
But if the data goes back some 30 years, even finding a mailing address might be a hassle, since an individual caught up in the breach may have moved around a lot since leaving the federal workforce. (Disclosure: This reporter is a former federal employee who has changed e-mail and physical addresses multiple times since leaving government service.)
OPM spokesperson Samuel Schumach said that individuals concerned that they may be caught up in the breach could reach out to CSID, the company the agency is using to provide credit and identity theft monitoring for employees with data compromised during the breach, to check their status. "If an individual has questions pertaining to this incident, they can visit www.csid.com/opm, or call 1- 844-222-2743 for more information, and to find out if they were affected," he told the Post via e-mail. "By contacting CSID, they will also be able to update their address to receive correspondence for the services provided."
A government breach of this scale represents a unique challenge compared to a similar incident in the private sector, Montgomery said, noting that in the private sector things like consumers' financial data often "ages out" after a set number of years -- meaning the company no longer retains it and thus has no need to notify long-ago customers in the event of a breach.
But experts think that the government probably has the resources to track down those exposed by the OPM breach -- even if it may take a while. For employees who left a long time ago, the agency may have access to current information through pension programs, for example. Or if that's not the case, it may also may need to coordinate with other parts of the government, such as the Internal Revenue Service, to figure out the address someone last used when filing taxes or with Medicare or Medicaid, to see where an individual is receiving benefits.
"I don't think it makes notification impossible, it just makes it more of a headache," said Montgomery.
This post has been updated with responses from OPM.