It is now estimated that personal data for 21.5 million people was stolen when the Office of Personnel Management (OPM) was hacked. OPM held (I dare not say “managed”) background check records for current and former government employees. The data includes social security numbers, birthdates, current and former addresses, current and former employers, and lists of friends and family members. For many it also includes history of drug use, history of mental health treatments, criminal records, and fingerprints. I am 1 of the 21.5 million. So is my husband. So are my children because their information was included on my most recent background check forms.
I should be angry about the OPM data breach, but the main thing I feel is powerless. I’m an information security specialist. Most of my job revolves around preventing data breaches, but my security knowledge could not protect my data and my family’s data and so many other people’s data.
I feel betrayed. Hackers hack. That’s what they do. I feel betrayed by OPM. They should have known better to store millions of unencrypted, sensitive records in one place. The goal is not to get hacked, but you should do things that limit what the bad guys can get. OPM did a lousy job of protecting this data. MY data. OUR data.
Understanding what they did wrong is important for helping OPM and others do better in the future, but that doesn’t help me and the rest of 21.5 million victims of this data breach. Our data is out there. Life histories can’t be replaced as easily as credit cards. I am going to have to be vigilant about fraud for years, if not for the rest of my life. So will my kids. That’s not a gift I ever wished to bestow on them.
The OPM data breach is a massive failure of one of the scariest requirements for data security: Trust.
No matter how well you try to protect your data there are other people and organizations who will have your data too. Sometimes, such as why so many government workers had their data at OPM, you don’t have much choice to share your data if it is required for your work. Sometimes it is required to pay your taxes or to sign up for utilities or buy a house or…You get the idea.
So is trying to prevent our personal data futile because somebody else is likely to let it get stolen anyway?
No! Don’t give up! Try to protect your data when you have control over it. Don’t share sensitive data when you don’t need to. Be suspicious of emails asking for personal information or asking you to click on a link requesting such information.
Oh, and if you want to be a hero you can try to figure out a viable solution for the mess we’ve made by using Social Security Numbers as both identifier and authenticators, which is what makes SSN data breaches so serious. (The problem of how SSNs are used and misused is explained well in this Slate article.)
For now, I’ll just sign up for the free credit monitoring that is supposed to make me feel better about all this but doesn’t.
RELATED POST: HTTPS does not mean your data is safe
YOU MAY ALSO LIKE: Rumpelstiltskin and the NSA
Get notified of new posts by email. Type your email address in the box and click the “create subscription” button. My list is completely spam free, and you can opt out at any time.