Brian Krebs has reported that the Office of Personnel Management has sent out more than 17 million letters to victims of the second massive data breach. OPM officially opened the verification centre on 1st December, specifically for those former and current federal employees and their families who haven’t received letters, but think they may have been impacted, and for those people who have received letters but their personal identification number (PIN) isn’t working or has been lost.
But a senior OPM official is asking them to wait at least another week to 10 days until OPM finishes sending out letters to about 93 percent of the estimated 21.5 million former and current federal employees and their families. OPM says the site will be available through the end of December 2018.
Commenting on this, Ryan Wilk, director at NuData Security, said: "With many US citizens being notified this week that their fingerprints, background checks, Social Security numbers and other sensitive information was jeopardised, it has once again thrown the OPM hack from earlier this year back into the spotlight. With breaches such as this being a near weekly occurrence, it is clear that organisations can no longer depend on a single security layered system, and instead should be more proactively looking at multi layered systems that involve the use of user behaviour analytics.
It is no longer enough to rely solely on the data. Many hackers are looking for a quick pay day by stealing data and then selling it on the dark web. But data isn't always taken for financial reasons; it can also be used for blackmail purposes, or to target governments, as seen here in the OPM breach. Our world today is 100% integrated into technology, and a lot of damage can be done with the right login. To fight this trend, companies need an enhanced method to protect themselves and their valued data. By focusing more on passive biometrics organisations can establish how legitimate account holders actually act, and through that be more secure in the knowledge that it is their real user accessing the account - whether it be for e-commerce sites, or higher risk areas such as OPM. It is only once this is established that companies will no longer have to rely only on login credentials that can easily be spoofed or stolen."