Cybersecurity

Feckless OPM

By Jack Goldsmith
Tuesday, January 12, 2016, 4:17 PM

I expected to hear from OPM after the data breach because it directed at least two of my background checks for security clearances while I was in government.  Many acquaintances received notices.  But I got nothing.  Then just before Christmas my wife received a letter from OPM informing her that her personal information, including Social Security number, had been stolen, and offering her the standard “comprehensive suite of data theft protection and monitoring services.”  There was one catch, however.  To get those services she would need to give OPM a lot more data about herself, starting with the Social Security number that they already lost once.  She declined.

I naturally wondered how my wife’s information could be stolen and mine not, since the only reason OPM had her information was the background check of me.  I asked a friend how to find out, and he directed me here.  I clicked the “I think I may have been impacted but have not received a letter” button, which led me to an initial verification site, where I had to agree to “authorize the collection, use, maintenance, and dissemination of data that I have provided for the purposes of breach notification and to facilitate the provision of mitigation services regarding the breach of information in OPM background investigation databases.”  That done, I was directed to a second verification site.  It asked me to send in to OPM’s porous databases a bunch of new personal information about myself, plus – without any suggestion (much less guarantee) that its databases were more secure, or any sense of irony – my Social Security number.  Being less cautious than my wife, I sent the information in.  A few weeks later I received a letter from OPM Acting Director Beth Cobert.  The letter informed me that my “Social Security Number and personal information was included in the intrusion” into OPM databases.  In other words, OPM lost the sensitive data I gave it for my background checks.  Cobert did not explain why this happened, or why it sent my wife but not me a letter of notification.  She did, however, say that she shares my “concern and frustration.”  She also offered me the same data security protection OPM offered my wife – but only, of course, if I gave OPM more information, including, once again, my Social Security number.  This time I declined.

I am not sure how I would have dealt with this problem differently.  But I don’t think I would ask for a former employee's sensitive information in a letter that revealed that OPM had already lost that sensitive information once, without some assurance that the security problem had been fixed.  As a friend said when I told him this story:  “This is the gang that can’t shoot straight.  I am deeply embarrassed at the sheer incompetence of our government.”  

Topics: