The cyber breach at America’s federal Office of Personnel Management through which the personal data of an estimated 18 million former, current – and even prospective – federal workers was lost is, by one commentator’s estimate, the “Holy Grail” from a counterintelligence perspective.
“They [the hackers] can target Americans in their database for recruitment or influence. After all, they know their vices, every last one – the gambling habit, the inability to pay bills on time, the spats with former spouses, the taste for something sexual on the side. …
“Do you have friends in foreign countries, perhaps lovers past and present? They know all about them. That embarrassing dispute with your neighbor over hedges that nearly got you arrested? They know about that, too. Your college drug habit? Yes, that, too.”
The comments are from John Schindler, a former professor of national security affairs at the U.S. Naval War College and veteran of the National Security Agency who writes now about counterespionage.
CNN reported just Monday that FBI Director James Comey provided the estimate that the files, including vast reams of personal details, of 18 million people had been stolen.
The report said the estimate came during a closed-door briefing to senators recently and was based on OPM’s internal data.
The records belong to even those who applied for work with the government, but never were offered, or accepted, a job.
U.S. investigators have suggested that the Chinese government is behind the theft, which is thought to be the worst ever against the U.S. government.
WND reported Monday Heritage Foundation cyber security expert Riley Walters was alarmed by the breach, referring the description he’s heard about a “Pearl Harbor.”
“The cyber analysts have been trying to use that term for quite a while now. I guess this is one of those times you could theoretically use the term,” he said.
U.S. Sen. Mark Warner, D-Va., says the attack was “a critical threat to our national security and economy.”
But he said it gets even worse.
He has written to OPM Director Katherine Archuleta taking issue with the performance of the contractor OPM hired to provide credit monitoring services and identity theft protection to the employees affected by the breach.
Warner said he has received complaints from many of them about long wait times and unreliable or inaccurate services being provided by the contractor Winvale through its subcontractor, CSID.
“As you are well aware,” Warner said in his letter to Archuleta, “I have a large number of constituents in Virginia who are current, former or retired federal employees, and in the past two weeks, I have heard complaints from many of them about the poor quality of service provided by CSID.
“My constituents have reported that the website crashes frequently, and that the company’s dedicated hotline regarding the OPM breach has incredibly long wait times,” he said. “Wait times of over an hour are not uncommon.”
Some constituents have told Warner that the wait time on the CSID hotline has been some 90 minutes to speak with a representative.
Warner said many of the workers had received inaccurate or out-of-date information regarding their credit history, which “calls into question CSID’s ability to appropriately protect them from fraud and ID theft.”
“Others have reported extreme difficulties with obtaining information from CSID regarding the terms and conditions of the $1 million in identity theft insurance they have been offered as part of CSID’s contract with the federal government,” he said.
“I also question CSID and OPM’s judgment in contacting victims by emailing with a recommendation that they click on a link to CSID’s website to sign up for credit monitoring – a violation of basic cybersecurity protocols that employees should never click on unfamiliar links because they risk exposing employees to scammers’ phishing attempts,” he said.
Warner also took issue with OPM’s approach in awarding the sole-source contract to CSID via its main contractor, Winvale Group LLC.
36-hour contract proposal
The Request for Quotation, or RFQ, was out for only 36 hours which Warner said would not have given enough time for companies to learn of it and evaluate its terms and submit a bid for the contract. As it was, OPM had amended the proposal three times.
“According to procurement experts,” Warner said, “such a short turnaround time is highly unusual and raises suggestions that OPM could have intentionally steered the contract to CSID.
“While there was and remains a time-sensitive imperative to protect the personal information of our federal workers,” Warner said, “the General Services Administration is already equipped to assist agencies in quickly setting up credit monitoring services in the event of a breach.”
In 2006, following the breach of personal information of millions of veterans, active-duty military personnel at the Department of Veterans Affairs, the GSA awarded contracts to three companies to assist federal agencies needing credit monitoring services. Those three agencies were Equifax Inc., Experian Consumer Direct and Bearak Reports, a small woman-owned firm in Massachusetts.
Warner said that of the three, Bearak was not aware of the RFQ and, if it were, it would have bid on the contract.
“This raises questions as to whether OPM followed all appropriate federal procurement protocols in awarding this contact,” Warner said.
“As it stands,” Warner wrote, “at least  million federal employees have had their personal and financial information exposed and are now, through no fault of their own, at risk for potential fraud and identify theft.
“OPM has an obligation to take this threat seriously,” he said. “The agency’s awarding of this contract suggests, however, that protecting employees exposed by the breach is not the top priority for OPM that it should be.”
Current and former federal workers also have complained about further privacy concerns after they decided to register for services with CSID.
The NextGov.com website refers to one case in which a former federal employee had responded to a series of security questions, one of which had to do with student loans. After the woman answered “No” to the question of whether she had any student loans, she received three robocalls advising her she qualifies for government assistance on a student loan.
“I just thought that is such a strange coincidence that I get this call after I have had a security question involving whether or not I’ve had a student loan,” she said. “And I’m not a conspiracy theorist.”
A number of current federal employees say they intend to pass on the free assistance from CSID, since they believe it may be part of the cyber breach. One federal worker who holds a security clearance said that she was leery of any letter from CSID, saying they’re not sure the notification letters are legitimate government communications.
OPM officials declined to say whether they can or will supply CSID with a government email address to direct to a government website to assist with the notification process.
The company did not respond immediately to a WND request for comment.