The Creation of IdentityTheft.gov and The Cybersecurity Attack at the OPM

IdentityTheft.gov The FTC recently launched IdentityTheft.gov, a new resource aimed at making it easier for identity theft victims to report and recover from identity theft.  The FTC has also created a Spanish-speaking version of the site at RobodeIdentidad.gov.  The websites provide and interactive checklist that walk people through the recovery process and better helps them to understand what steps should be taken upon learning that a person’s identity has been stolen.  In addition to the interactive checklists, the websites also provide sample letters and other helpful resources.

Also of importance, the websites offer specialized tips specific forms of identity theft, including tax-related identity theft, social security fraud, child identity theft, and medical identity theft.  The websites provide advice for people who have been notified that their personal information was exposed in a data breach, which has become increasingly helpful in light of the recent data breach at the U.S. Office of Personnel Management (“OPM”).

The OPM recently became aware of a cybersecurity incident affecting its systems and data that may have compromised the personal information of current and former Federal employees.  Within the last year, OPM has undertaken an aggressive effort to update its cybersecurity posture, adding numerous tools and capabilities to its networks.  As a result, in April 2015, OPM became aware of the incident affecting its IT systems and data that predated the adoption of these security controls.

Since the incident was identified, OPM has partnered with the U.S. Department of Homeland Security’s U.S. Computer Emergency Readiness Team, and the Federal Bureau of Investigation to determine the impact to Federal personnel.  And OPM immediately implemented additional security measures to protect the sensitive information it manages.

As a result of the incident, OPM will send notifications to approximately 4 million individuals whose PII may have been compromised.  Since the investigation is on-going, additional PII exposures may come to light; in that case, OPM will conduct additional notifications as necessary.  In order to mitigate the risk of fraud and identity theft, OPM is offering credit report access, credit monitoring and identify theft insurance and recovery services to potentially affected individuals through CSID®, a company that specializes in these services.  This comprehensive, 18-month membership includes credit monitoring and $1 million in identity theft protection services at no cost to enrollees.  According to the OPM:

Protecting our Federal employee data from malicious cyber incidents is of the highest priority at OPM . . . We take very seriously our responsibility to secure the information stored in our systems, and in coordination with our agency partners, our experienced team is constantly identifying opportunities to further protect the data with which we are entrusted.

 

OPM has issued the following guidance to affected individuals:

  • Monitor financial account statements and immediately report any suspicious or unusual activity to financial institutions.

 

  • Request a free credit report at www.AnnualCreditReport.com or by calling 1-877-322-8228.  Consumers are entitled by law to one free credit report per year from each of the three major credit bureaus – Equifax®, Experian®, and TransUnion® – for a total of three reports every year.  Contact information for the credit bureaus can be found on the Federal Trade Commission (FTC) website, www.ftc.gov.

 

  • Review resources provided on the FTC identity theft website, www.identitytheft.gov.  The FTC maintains a variety of consumer publications providing comprehensive information on computer intrusions and identity theft.

 

  • You may place a fraud alert on your credit file to let creditors know to contact you before opening a new account in your name.  Simply call TransUnion® at 1-800-680-7289 to place this alert.  TransUnion® will then notify the other two credit bureaus on your behalf.

 

How to avoid being a victim:

 

  • Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information.  If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.

 

  • Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person’s authority to have the information.

 

  • Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.

 

  • Do not send sensitive information over the Internet before checking a website’s security (for more information, see Protecting Your Privacy, http://www.us-cert.gov/ncas/tips/ST04-013).

 

  • Pay attention to the URL of a website.  Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).

 

  • If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly.  Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information.  Information about known phishing attacks is also available online from groups such as the Anti-Phishing Working Group (http://www.antiphishing.org).

 

  • Install and maintain anti-virus software, firewalls, and email filters to reduce some of this traffic (for more information, see Understanding Firewalls, http://www.us-cert.gov/ncas/tips/ST04-004; Understanding Anti-Virus Software, http://www.us-cert.gov/ncas/tips/ST04-005; and Reducing Spam, http://www.us-cert.gov/ncas/tips/ST04-007).

 

  • Take advantage of any anti-phishing features offered by your email client and web browser.

 

  • Employees should take steps to monitor their personally identifiable information and report any suspected instances of identity theft to the FBI’s Internet Crime Complaint Center at www.ic3.gov.

IdentityTheft.gov