Press reports today (New York Times, Washington Post) indicate that personnel databases at the Office of Personnel Management (OPM) were breached in April 2015, resulting in the possible compromise of 4 million records containing sensitive personal information. OPM is apparently treating this data breach in much the same way that a private company would treat it – offering credit monitoring and identity theft insurance to affected personnel and urging such people to look for suspicious activity in their financial accounts.
It’s a good thing to offer credit monitoring and the like. But a breach of this type—involving millions of current and former employees across many federal agencies—has ramifications far beyond the financial risks to individuals affected. With sensitive personal information in hand, hackers will have a much easier time in conducting social engineering attacks against these individuals. Some of the individuals affected by this breach undoubtedly have access to sensitive *government* information, and now that information is at greater risk of compromise.
So treating this matter merely as a financial risk for affected employees misses the boat. What, if anything, will the U.S. government do to sensitize the affected employees about following basic cybersecurity and cyber hygiene measures in the wake of this incident? I will feel much better once I know the answer to that question.