Last week, millions of government employees were probably quite nervous to hear their personal data had been stolen by hackers (likely from China), who gained access to a trove of data from the Office of Personnel Management.
This week, the same office is opening up even more government employees to more risk, based on its response to the breach. OPM announced it will notify all impacted individuals by email, which makes not only the affected individuals, but also anyone else who is worried they might be affected now a ripe target for a phishing attack.
In its announcement, OPM said, “The email will come from opmcio@csid.com and it will contain information regarding credit monitoring and identity theft protection services being provided to those federal employees impacted by the data breach.”
OPM is using a third party, CSID, to manage this communication, and has now, in essence, provided phishers with a blueprint for creating an attack. Of note, CSID does at least use DMARC, which is one good step it has taken to see how others may be spoofing its domain.
Imagine you have had any kind of interaction with the OPM in the past five years or so. You may be wondering “was I one of the ones compromised?” Soon enough, an email shows up in your inbox, notifying you that you have indeed been breached, and offering credit monitoring and identity protection services. It directs you to a website, where you provide some basic information, including your name, email address, mailing address (and maybe more) and promises the credit and ID monitoring services will start immediately.
But what if you didn’t read the email closely enough? What if it came from opmcio@cdis.com, or from opmcio@cssid.com? What if you never saw the announcement to know exactly what email address you should be looking for?
Now each of these employees have willingly handed over this information to a second group of hackers (this time, through the phishing attack), who likely have different ambitions than China. These hackers can easily keep you placated by sending you false credit report info (hey, your credit still looks great, nothing to worry about here), while destroying your actual credit.
OPM is in a difficult situation, and is trying to respond as quickly and cost effectively as possible to a massive breach affecting millions of government employees. But it must take a step back and make sure it does not cause greater harm to these employees with its follow-on actions.
Instead, OPM should send notifications via physical mail, or secured Intranet communication. OPM should also provide education to all employees on the risk of phishing attacks.
And finally, OPM should conduct thorough penetration testing of the third-party provider, CSID, to ensure that by handing this project off to another party, it’s not opening up its employees to yet another attack.