April 15, 2015. A date which will live in infamy. That’s the day the Office of Personnel Management (OPM) finally discovered the compromise of its internal systems. This compromise started nearly a year earlier in March of 2014 with the breach of OPM computer systems in an apparent attempt to collect the personnel files of those who had applied for SECRET and TOP SECRET security clearances.
OPM is the United States Office of Personnel Management. Their mission includes recruiting, retaining and building a workforce for the federal government. A key part of the mission:
We conduct background investigations for prospective employees and security clearances across government, with hundreds of thousands of cases each year.
This is not another blog post about the massive and epic failure of OPM. You can read those great articles here, here, here, here and here. Rather, this is a post about the massive and epic failure of notification. By all accounts, including OPM, the breach was finally discovered on April 15, 2015. When did I finally get my notification? December 13, 2015. Merry Christmas indeed Mr. Scrooge.
Do you know how wonderful it is to walk out to the mailbox to find this delayed notification just in time for Christmas? My TOP SECRET clearance had been granted nearly 14 years ago for work I was doing in the Department of Defense, Department of Justice, and US State Department Antiterrorism Assistance Program.
Here’s the best part. My wife – who was listed on my background investigation obviously – got her OPM notification a full week before I did! I’ve included the actual notification I received. Besides the crap credit monitoring OPM offered (here’s a much better offer from Military.com), there’s not much else of any value except for the valuable lessons to be learned.
You are the first line of defense. Make sure to download my latest guide “The 2015 [Interactive Holiday Guide to Identity Security“. One of the bonus sections talks about your SSN – Social Security Number – and some easy steps you can take to protect the use of it.
It’s time to become an Identity Security Warrior. Shields up!
PS…for you hacker types that are trying to see if you can remove the redacted parts of the photo – don’t bother. I took screen shots of the PDF file. Then I added the redactions. Then I took another screen shot. Using Keynote, I added both screen shots and made a single image out of them. I’m not paranoid. Well…not yet.