It is all over the news, The 4-million Federal Employee OPM database was hacked and lots of employee information leaked to probably the Chinese. This weekend on CNN they said that the coming few days all Fed employees will receive an email something like: "You've been hacked, here's what you need to do to protect yourself."
The press has a tendency to jump to the "who" but it is more interesting to focus on the how and why. The real issue here is how the attackers penetrated the OPM again, just after a major data breach a year ago. The focus on this recent breach should be how come they did not fix an apparently systemic problem, and it is my prediction that they were hacked with a spear-phishing attack with by zero-day malware as a payload, which could have been prevented with effective security awareness training.
Also in the news this week, it came out that in 2012 the NSA was granted the authority to conduct surveillance on US Internet traffic without a warrant to investigate foreign cyber attacks. The documents indicate that the NSA pursued attackers even if there was no proof that the attacks originated outside the US. So we have the "guvmint" hoovering up massive amounts of data, and not protecting that data very well. Recipe for disaster?
Having said that, many people work (or used to work) for all kinds of government institutions, and will not know if their data was in that database or not. Sometimes they will have family members working for either local, county or state government and will be worried that their data is exposed too. This is a phishing bonanza and I'm willing to bet a hundred bucks that the cyber mafia is already working on campaigns to exploit this fear.
I would email your employees, family and friends something to this extent, feel free to copy/paste or edit:
"It's all over the news, again. A large database with information of Federal Employees has been hacked and millions of employee records are out there now. Cyber criminals are going to use this hack to scare you into clicking on phishing emails and infect your computer with malware or manipulate you into giving out personal information.
"If you receive an email that claims your personal information has been hacked, and that you need to click on links or open attachments to find out how to protect yourself, be very careful. Do not click on links, do not open attachments, and if there is a reference to a website with more information, type the web address in your browser, and do not click on any links."
For KnowBe4 customers, inoculate your employees before they get hit with this Scam Of The Week, at the house or in the office. Send them this new template from the Current Events campaign: "Federal Database Breach - Action Required"
If you aren't a KnowBe4 customer yet, ask for a quote and be pleasantly surprised:
