After hack by Chinese, U.S. may have broken its own cybersecurity policy

In responding to China’s massive hack of federal personnel data, the government may have run afoul of computer security again.

Over the past two weeks, the Office of Personnel Management has sent email notices to hundreds of thousands of federal employees to notify them of the breach and to recommend that they click on a link to a private contractor’s Web site to sign up for credit monitoring and other protections.

But those emails have been met with increasing alarm by employees – along with retirees and former employees with personal data at risk – who worry that the communications may be a form of “spear phishing” used by adversaries to penetrate sensitive government computer systems.

After the Defense Department raised a red flag about the emails that its 750,000 civilian employees were receiving, OPM officials said earlier this month that the government had suspended its electronic notifications.

“We’ve seen such distrust and concerns about phishing,” OPM spokesman Sam Schumach said, describing the feedback from many of the 4.2 million current and former employees who are being notified that personnel files containing their Social Security numbers, addresses and other personal information may have been stolen.

Computer experts said that the personnel agency – already under fire from lawmakers from both parties for failing to protect sensitive databases from hackers – could be putting federal systems in jeopardy by asking employees to click on links in the emails.

“There’s a risk that you desensitize people by telling them that occasionally there’s going to be a very important email you have to click on,” said Joseph Lorenzo Hall, chief technologist at the Center for Democracy and Technology.

He called OPM’s first round of email transmissions the equivalent of “sending a postcard to people saying, ‘Gee, you just got hacked – go to this Web site.’ The hackers could wise up and send their own set of fake identity-protection emails and get into your computers all over again.”

That’s precisely what worried top Defense Department officials before the department’s chief information officer told OPM last week to suspend the notifications because of their disregard for basic cybersecurity training that’s crucial to ensuring the safety of military networks: Never click on unfamiliar links, attachments or email addresses, because they expose employees to spear-phishing attacks.

Defense Department offices across the country posted a bulletin in their internal communication networks from Terry Halvorsen, the department’s chief information officer, saying that OPM was “suspending notification to DoD personnel that their 1/8personal identifying information3/8 may have been breached until an improved, more secure notification and response process can be put in place.”

The notice continued:

“Recognizing that DoD personnel are trained not to open links embedded in emails not digitally signed and/or sent from unknown senders, DoD officials are working closely with other federal partners to establish notification procedures that will allow DoD personnel to reliably and confidently receive these notifications, and register for the benefits to which they are entitled.”

Employees across the government and their unions have raised concerns that the emails refer them to the Web site of a private company with a “.com” address instead of a government domain. Even though they are given a PIN, many people say they’re wary of giving a contractor their Social Security numbers, addresses and other information to qualify for identity-theft insurance and credit monitoring.

The contractor, CSID, resumed the email notifications late Wednesday with a change designed to give employees more confidence that the communications are legitimate and that the company’s Web site is secure, Schumach said. They still have the option to click directly on a link to enroll in credit-protection services, but now they can copy and paste the Web site address, www.csid.com/opm, themselves, a more secure strategy.

“To alleviate the concerns of phishing, OPM and (the contractor) have made changes to email notifications by adding additional options for those who want to enroll in the 1/8contractor’s3/8 services directly from the email,” Schumach said. “Now, affected individuals will be able to not only click on the ‘Enroll Now’ button, but will also have the option to copy a non-hyperlink address so they know exactly what Web site they will be visiting.”

Despite the fixes, OPM’s credibility may suffer still. OPM Director Katherine Archuleta was berated by Democrats and Republicans on Capitol Hill in the past week for what they called her serious negligence in failing to take long-recommended steps to secure the computer systems containing federal personnel records. Two top Republicans have called on her to resign.

“Even when they try to clean it up, they’re getting it wrong,” Christopher Soghoian, principal technologist for the American Civil Liberties Union, said of OPM’s response to the data breach. “A policy saying, ‘Don’t send clickable links to employees,’ is not rocket science. It’s Cybersecurity 101.”

Talk to us

> Give us your news tips.

> Send us a letter to the editor.

> More Herald contact information.

More in Local News

City of Everett Engineer Tom Hood, left, and City of Everett Engineer and Project Manager Dan Enrico, right, talks about the current Edgewater Bridge demolition on Friday, May 9, 2025 in Everett, Washington. (Olivia Vanni / The Herald)
How do you get rid of a bridge? Everett engineers can explain.

Workers began dismantling the old Edgewater Bridge on May 2. The process could take one to two months, city engineers said.

Smoke from the Bolt Creek fire silhouettes a mountain ridge and trees just outside of Index on Sept. 12, 2022. (Olivia Vanni / The Herald)
County will host two wildfire-preparedness meetings in May

Meetings will allow community members to learn wildfire mitigation strategies and connect with a variety of local and state agencies.

Helion's 6th fusion prototype, Trenta, on display on Tuesday, July 9, 2024 in Everett, Washington. (Olivia Vanni / The Herald)
Helion celebrates smoother path to fusion energy site approval

Helion CEO applauds legislation signed by Gov. Bob Ferguson expected to streamline site selection process.

Vehicles travel along Mukilteo Speedway on Sunday, April 21, 2024, in Mukilteo, Washington. (Ryan Berry / The Herald)
Mukilteo cameras go live to curb speeding on Speedway

Starting Friday, an automated traffic camera system will cover four blocks of Mukilteo Speedway. A 30-day warning period is in place.

Carli Brockman lets her daughter Carli, 2, help push her ballot into the ballot drop box on the Snohomish County Campus on Tuesday, Nov. 5, 2024 in Everett, Washington. (Olivia Vanni / The Herald)
Here’s who filed for the primary election in Snohomish County

Positions with three or more candidates will go to voters Aug. 5 to determine final contenders for the Nov. 4 general election.

Students from Explorer Middle School gather Wednesday around a makeshift memorial for Emiliano “Emi” Munoz, who died Monday, May 5, after an electric bicycle accident in south Everett. (Aspen Anderson / The Herald)
Community and classmates mourn death of 13-year-old in bicycle accident

Emiliano “Emi” Munoz died from his injuries three days after colliding with a braided cable.

Danny Burgess, left, and Sandy Weakland, right, carefully pull out benthic organisms from sediment samples on Thursday, May 1, 2025 in Everett, Washington. (Olivia Vanni / The Herald)
‘Got Mud?’ Researchers monitor the health of the Puget Sound

For the next few weeks, the state’s marine monitoring team will collect sediment and organism samples across Puget Sound

Cal Brennan, 1, sits inside of a helicopter during the Paine Field Community Day on Saturday, May 17, 2025 in Everett, Washington. (Will Geschke / The Herald)
Children explore world of aviation at Everett airport

The second annual Paine Field Community Day gave children the chance to see helicopters, airplanes and fire engines up close.

A person walks past Laura Haddad’s “Cloud” sculpture before boarding a Link car on Monday, Oct. 14, 2024 in SeaTac, Washington. (Olivia Vanni / The Herald)
Sound Transit seeks input on Everett bike, pedestrian improvements

The transit agency is looking for feedback about infrastructure improvements around new light rail stations.

A standard jet fuel, left, burns with extensive smoke output while a 50 percent SAF drop-in jet fuel, right, puts off less smoke during a demonstration of the difference in fuel emissions on Tuesday, March 28, 2023 in Everett, Washington. (Olivia Vanni / The Herald)
Sustainable aviation fuel center gets funding boost

A planned research and development center focused on sustainable aviation… Continue reading

Dani Mundell, the athletic director at Everett Public Schools, at Everett Memorial Stadium on Wednesday, May 14, 2025 in Everett, Washington. (Will Geschke / The Herald)
Everett Public Schools to launch girls flag football as varsity sport

The first season will take place in the 2025-26 school year during the winter.

A “SAVE WETLANDS” poster is visible under an seat during a public hearing about Critical Area Regulations Update on ordinance 24-097 on Wednesday, May 14, 2025 in Everett, Washington. (Olivia Vanni / The Herald)
Snohomish County Council passes controversial critical habitat ordinance

People testified for nearly two hours, with most speaking in opposition to the new Critical Areas Regulation.

Support local journalism

If you value local news, make a gift now to support the trusted journalism you get in The Daily Herald. Donations processed in this system are not tax deductible.