In early June, US government officials confirmed1 a massive data breach at the Office of Personnel and Management (OPM). Initially, estimates stated roughly 4 million workers had their information stolen in a data breach reportedly linked to Chinese hackers. OPM then announced that another 21.5 million security clearance files were part of the hack. That meant current, former, and prospective federal workers were hit, “as well as other individuals for whom a Federal background investigation was conducted.”
For some government workers, identity theft is an irritation and an inconvenience, but for clearance holders, this hack is far scarier, as OPM is a main repository for numerous security clearance files. Security clearance holders fear more than the monetary losses that can follow identity theft; they fear losing their jobs.
Some clearance holders could lose their jobs if they’re not savvy. One trashed credit report is enough to jeopardize a top-secret clearance when it’s up for renewal. Criminal identity theft situations in which the hacker creates a bogus driver’s license or other forged documents also presents disastrous risks.
INTERVIEWS WITH SECURITY CLEARANCE HOLDERS
In 2013, idRADAR (now part of ID Watchdog) interviewed several security clearance holders about their identity theft experiences and the battle to hold onto top-secret work credentials. Only one in three managed to retain their clearance. One victim ended up homeless, unemployed, and living in a car.
In one instance, a former Air Force Major lost his clearance2 and a lucrative job even though he no longer worked with classified material. The first time he discovered his identity has been stolen was when his clearance renewal was denied. By then, it was too late. U.S. authorities eventually discovered his data was stolen from several old job applications. While the perpetrators in this case are now in jail, the Major is still reeling from the massive impact of identity theft and struggling to repair his badly damaged credit score.
The second case study3 was even more chilling. A retired, decorated veteran lost his job and his home due to identity theft. He held a lucrative job at the LA airport but was fired after police stopped him during a routine traffic check. An identity thief had used the veteran’s name to get a driver’s license then skipped out on a ticket. Although a judge stated the victim was just that – a victim – the federal government did not agree. Homeland Security decided the victim had lied about being arrested even though he’d only been caught up in a case of mistaken identity. He was fired and could not find similar work. He and his wife lived out of their car while appealing the decision unsuccessfully.
The third victim4, who managed to hang onto his clearance, was flat out lucky. While he was on Navy submarine duty in the Pacific, his wife received a call from a cell phone carrier asking how he liked the new service. In all, nine difference cell phone plans had been opened in the captain’s name without his knowledge. That breach was attributed to mail stolen from an unlocked mailbox or utility bills tossed in the trash when the couple relocated. It took hundreds of hours to clean up his files and the Naval officer was able to hold onto his clearance and his job because he discovered the theft quickly.
THE DATE TROVE AT STAKE
While OPM struggles to defend its response to the hack, a massive amount of personally identifiable information (PII) is now in the wrong hands and the resulting damage could be significant.
To obtain a coveted clearance, applicants have to complete a 127-page questionnaire called SF-86. The laundry list of data is staggering so it’s no exaggeration to call these forms the Holy Grail for identity thieves.
Each page requires your SSN to be entered before you move to the next page. Spouses also provide SSNs, maiden names where applicable and details about marriage dates and locations. Male applicants must provide Selective Service registration numbers.
In addition, information about roommates or cohabitants is required including their SSNs. Sibling data, such as proof of citizenship and passport number, is also collected along with details about foreign friends or acquaintances.
Past drug use, extramarital affairs, police records, bankruptcies, bills turned over to collection agencies and involvement with any litigation – civil or criminal – all this data is captured along with names of past medical or mental health providers.
HOW DO YOU PROTECT YOURSELF?
Early detection is key for victims. That’s what the Navy captain learned when Sprint’s phone call gave him an early alert. None of these individuals monitored their credit report for signs of credit abuse before their identity was compromised; now they all do. They also recommend buying a locking mailbox and using shredders regularly. They’ve seen just how devastating identity theft can be.
Monitoring one credit bureau is better than none, but the golden standard is monitoring the Big 3 bureaus. That’s what ID Watchdog’s Platinum level service provides. Yet, the task doesn’t stop there. Credit monitoring is just one facet of the service ID Watchdog offers. We also monitor for other new debts like payday loans that don’t get reported to a credit bureau, change of address filings, and cyber crimes. We look under every possible rock to locate identity thieves.
It’s unclear how many impacted government workers have a security rating to guard and alerting some of them may be challenging. Early reports indicated stolen records5 date back to 1982 and many mailing addresses will be outdated.
The percentage of victims from this breach who need to guard a security clearance is likely to be high. If you know anyone who works for Homeland Security, the FBI, the U.S. military, government agencies, or even private firms requiring background checks, send them a link to this article. These cautionary case studies could save more than an identity, they could save a career.
- OPM Press Release, June 4, 2015 http://www.opm.gov/news/releases/2015/06/opm-to-notify-employees-of-cybersecurity-incident/
- idRADAR series, Oct. 2013, http://www.military.com/veteran-jobs/security-clearance-jobs/2013/09/17/major-faces-long-road-back-after-identity-theft.html
- idRADAR series, Oct. 2013, http://www.military.com/veteran-jobs/security-clearance-jobs/2013/10/01/captain-saves-clearance-thwarts-identify-thieves.html
- idRADAR series, Oct. 2013, http://www.military.com/veteran-jobs/security-clearance-jobs/2013/09/03/veteran-homeless-after-battle-with-identity-theft.html
- Cyber CSIS, June 5, 2015 https://twitter.com/CyberCSIS