Hacked OPM Employee Data so Sensitive, Victims Could Need ID Theft Protection for Life

Near the end of 2014, after hackers looted Sony’s database, a number of former employees filed class action lawsuits against the company, arguing that the leak of their personal information, including their Social Security numbers, made them vulnerable to identity theft.

That threat, they argued, made Sony liable for the financial burden of having to purchase identity theft protection for the rest of their lives. This week, a group of former employees filed another court complaint claiming there had been incidents of unauthorized credit card charges, attempts by thieves to open accounts under their names, and their personal data appearing on the Internet.

There’s no guarantee that after an X number of years, you’re safe from identity thieves.

Perhaps in an effort to pre-empt this sort of problem, the Office of Personnel Management (OMP), which recently announced details of a second breach involving the lost personal information of over 20 million current and former federal employees, announced on July 9 that it would provide free identity theft protection services for all those affected by the hack—for three years at least. The first breach, discovered in April, involved 4.2 million people.

The sources of identity theft are hard to pinpoint—victims’ information could have been stolen from their employers, the doctor’s office, or a number of other places—therefore not very much data is collected on the frequency of identity theft (IT) and the time that passes after the initial leak. In other words, there’s no guarantee that after an X number of years, you’re safe from identity thieves.

“You could be at risk for IT for the rest of your life, especially if your Social Security number or date of birth was stolen,” said Paige Hanson, an educational programs manager at LifeLock, an identity theft protection agency.

The hackers were able to take the fingerprints of 1.1 million employees and the Social Security numbers (SSN) of 21 million. The former might sound more threatening, since you can’t change your fingerprint, but for the typical victim, the SSN is just as immutable.

Social Security numbers can be changed in theory—people in witness protection programs routinely do just that—but it remains an impractical choice for most people; doing so would wipe out their credit histories, making it much more difficult to secure loans. In comparison, a lifetime of identity theft protection looks downright appealing.

Children are just starting to write the script for their identity, and targeting a child is very common. — Paige Hanson, , LifeLock

Those affected by the hack not only have to look after themselves, but also immediate family members, including their children, as well as their present, and former, spouses. Immediately after the hack, some federal employees were enrolled in credit monitoring services, but the extension of similar coverage to family members wasn’t rolled out until July.

“Children are just starting to write the script for their identity, and targeting a child is very common,” Hanson said.

A 2013 report by the Justice Department found that 7 percent of U.S. residents 16 or older had experienced some form of identity theft in 2012, although most cases were limited to the use of existing bank accounts and credit cards, which are easier to change.

If there is a silver lining to the OPM fiasco, it would be raising public awareness about the threat that identity theft poses to the average American. Hanson said that every time a major hack like Sony’s or the big one affecting Target shoppers in 2014 dominated headlines, LifeLock would get more inquiries from potential customers about how to avoid identity theft.

“It’s important to be diligent about thoroughly checking your mail, [what appears to be junk mail] could be a new credit bill sent to your address,” Hanson said. “It’s important to call the credit card company and shut down that line of credit, before it starts having negative effect on [your credit score.]”