Critical Read

How OPM breach victims can fight back

What: An Institute for Critical Infrastructure Technology report titled “Moving Forward: How Victims Can Regain Control & Mitigate Threats in the Wake of the OPM Breach.”

Why: In the post-Office of Personnel Management breach world, it pays to be extra careful.

ICIT’s prescriptions include lying to websites, being vigilant about kids’ social media exposure and taking passwords seriously.

The institute’s experts advise that the personal information stolen in the hack could have destructive consequences for both the United States and individual citizens over the long term, but the impact could be limited if the right steps are taken now.

First and foremost, the U.S. government needs to alert affected people (something it has done for the first breach, but not for the second, bigger breach of security clearance information), delete old user accounts and refocus on training feds to avoid phishing campaigns and other attacks, the ICIT report recommends.

Individuals can take many steps as well.

Credit monitoring and credit freezes are two such steps, along with regular checks of financial statements.

Because the stolen security clearance forms contain so much personal information, individuals should stop using accurate information for security questions on social media, banking and other websites, ICIT says. (For instance, if the question is, “What is your mother’s maiden name?,” don’t use her actual maiden name as the answer – because adversaries probably know it. Use her first name, or a different name altogether, instead.)

ICIT also recommends changing all passwords every three months, avoiding password managers and coming up with unique ways that you can remember and organize highly complicated passwords.

Don’t forget about kids. Since their names could have been exposed in the breach, feds’ children could become targets of phishing attempts or social engineering. ICIT recommends talking to kids about online dangers and deploying firewalls at home.

Above all, ICIT’s report says, the OPM breach provides an opportunity for individuals, private-sector companies and the government to radically rethink and strengthen approaches to cybersecurity.

Verbatim: “The White House, Congress, and the media have focused heavily on attributing fault for the breaches. Considerably less effort has been dedicated to mitigating the impact of the breach at the individual level. … Even if a nation state, such as China, admitted to committing the breach, the information would still be lost, the damage would still be done, and the victims would still be in peril. Neither sale nor use of the information from the OPM breaches has been confirmed. Therefore, a great deal of the potential impact can be mitigated if attempts at proactive measures supersede attribution attempts.”