The fallout following the highly publicized breach of millions of private documents from the Office of Personnel Management (OPM) has been huge. US citizens are losing trust in their government’s security posture as more details arise.
Worse, federal employees are worried about their safety, given that China allegedly heisted millions of their personal documents from a thought-to-be-safe server.
How deep does this federal mistrust run? The OPM has been trying to send vital information to its hundreds of thousands of employees, and many mistook these emails for malicious phishing campaigns, the Washington Post reports.
According to the Post, the OPM has been trying to alert federal employees of the breach via a series of emails that contain a link to sign up for third-party credit monitoring services. The Defence Department reportedly “raised a red flag” about these emails, which ultimately caused the the agency to halt its email notification program.
The problem was that these emails could have easily been from a hacker trying to phish information from employees. It was impersonal and contained an unknown link to a non-government website.
The OPM’s tactic to inform federal employees about the breach via an email with an unknown link is wrought with irony. For one, it’s usual company protocol to not open unknown emails and definitely not to click on unknown links.
In fact, many federal employees received cybersecurity training telling them to not do such things as opening links and downloading attachments.
As Lorenzo Hall, chief technologist at the Center for Democracy & Technology, told the Post, these emails are like “sending a postcard to people saying gee, you just got hacked, go to this website. The hackers could wise up and send their own set of fake identity protection emails and get into your computers all over again.”
An OPM spokesman said that the agency is implementing new protocol to make the email notifications look more legitimate. The emails will now contain a non-hyperlinked link to copy and paste into a new browser, as well as the ability to sign up for the credit monitoring services via email.
Even so, the OPM is still being lambasted for its perceived ineptitude. “Even when they try to clean it up, they’re getting it wrong,” said the ACLU’s Christopher Soghoian to the Post. “A policy saying don’t send clickable links to employees is not rocket science. It’s cybersecurity 101.”
Business Insider Emails & Alerts
Site highlights each day to your inbox.