"It's really frustrating to think that my family might suffer from my information having been stolen." Those are the words of David Thul, who served 22 years with the Minnesota National Guard, was deployed to Kosovo in 2003 and again to Iraq from 2005 to 2007. "My country didn't have my back," Thul told Credit.com's Christine DiGangi.
The latest numbers on the OPM breach are in:
- 19.7 million security clearance applicants
- 2 million family and friends
- 4.2 million federal employees
In terms of sheer size, the breach of the Office of Personnel Management database, may not be the biggest we have ever seen, but in terms of breadth, depth and the comprehensive nature of the sensitive personal information snagged by hacker or hackers somewhat unknown, it eclipses anything we have seen to date.
This was an egregious breach of the public trust and an epic fail on the part of the U.S. Government.
Practically every day there is another headline - some smaller than others - heralding the discovery of the compromise-du-jour of yet another business or government agency. The reactions on the part of pundits, regulators and privacy and security experts are generally the same: Disbelief, sadness, outrage, or a sigh. "How could this have happened?" "What were they thinking?" "Don't they understand the damage this could cause?" Or, "Hey, give them a break! You should be angry with the parasites who did it."
It is shocking that our government could have been this careless:
- No encryption
- No 2 factor authentication
- Improper data segmentation
- Insufficient training
- Failure to implement upgrades in a timely fashion
I'm reminded of a line from the movie Independence Day, "You knew and you did nothing." In this case, the "you" is anyone who does not take data security seriously. And with breaches now the third certainty in life, it's hard to understand how anyone can look the other way in the face of known data security issues, such as were rife at the Office of Personnel Management.
So what now? Tragically, millions of innocent Americans will be paying the price for this institutional lack of professionalism by way of fraud committed with the information that was stolen. And the threat of fraud will remain long after the news disappears along with the capped "free" credit monitoring services offered to victims.
The way back from this will not be an easy one. We are not talking about the kind of breach where one only has to change a credit card number and then deal with the annoyance of contacting creditors and all that. There is no zero liability policy for someone whose Social Security number and whose most private life details are for sale on the data black market, there for anyone who wants to use it against them either financially or politically. The information lost in the OPM breach has the potential to be permanently life altering.
To that end, the victims should not be the only ones whose lives are interrupted. We need an institutional interruption of the bad practices that allowed the breach to happen in the first place. We need to think past the limited protections of credit monitoring for a set period of time. Given the severity of the data lost, footing the bill for ongoing credit freezes and other protective services seems like the moral thing to do. The solutions offered to victims should be as permanent as the loss of Social Security number privacy and whatever other information was compromised.
Many of the victims of the OPM breach have served and defended their country in good faith. It is time for a good faith measure in return: a plan to stop the digital bleeding and the Potomac 2-step when it comes to legislating workable solutions for data security during this data breach epidemic.