Army Thought OPM Attempt to Help Breach Victims Was a Phishing Attack

Federal workers lost their personal information to hackers — then when they were given free credit monitoring, the Army blocked the monitoring offers as "phishing."

Katherine Archuleta, director of the Office of Personnel Management, speaks during a hearing of the Senate Homeland Security and Governmental Affairs Committee on Capitol Hill June 25, 2015 in Washington, DC. Witnesses testified about the hacking of Office of Personnel Management data. AFP PHOTO/BRENDAN SMIALOWSKI        (Photo credit should read BRENDAN SMIALOWSKI/AFP/Getty Images)
Katherine Archuleta, director of the Office of Personnel Management, speaks during a hearing of the Senate Homeland Security and Governmental Affairs Committee on Capitol Hill June 25, 2015 in Washington, DC. Witnesses testified about the hacking of Office of Personnel Management data. AFP PHOTO/BRENDAN SMIALOWSKI (Photo credit should read BRENDAN SMIALOWSKI/AFP/Getty Images) AFP/Getty Images

Last month, in the wake of a series of massive breaches at the federal Office of Personnel Management, the Army issued a bulletin warning that some victims were being hit by hackers a second time, this time with an email phishing campaign asking them to input personal information into a third-party website to receive credit monitoring.

Except it turns out the email in question was completely legitimate. It was sent en masse by the OPM contractor providing notification and credit-monitoring services to the agency’s hacking victims. Army and Air Force investigations of the “phishing scam” delayed by several days both victim notification and credit monitoring benefits to Defense Department personnel whose private information had fallen prey to OPM hackers. The emails notifying victims and linking to information about the monitoring only went through after spam filters were reset.

The confusion over the credit-monitoring emails appears to reflect a larger lack of coordination among government agencies following the announcement of the breaches, the first of which compromised the data of 4.2 million people and the second of which the OPM has said effected some 22 million people.

The Army warned people away from opening the email providing notification and free credit monitoring in unequivocal terms. “In recent days, we’ve learned of a new phishing attack that attempts to draw the attention of recipients with the subject line, ‘Important Message from the U.S. Office of Personnel Management CIO,'” said a June 9 threat intelligence alert. The alert was quoted in the Army Weekly Protection Information Bulletin 5-11 June 2015, obtained by The Intercept.

The alert added that while the “phishing” emails purport to be from the Office of Personnel Management’s chief information officer, “users are actually directed to a fake website and asked to enter private information.”

“Close the message immediately and report it as spam to the Cyber Security Network Defense Team,” the alert ordered.

The Army attempted to correct its alert in a separate bulletin issued days later, in which it said that probes by the Army Criminal Investigative Division and the Air Force’s Office of Special Investigations had determined that OPM, not hackers, had actually sent the emails asking Defense Department employees to provide personal information via a third-party site.

From the Army Weekly Protection Information Bulletin, June 5-11, 2015.

On the Frequently Asked Questions section of OPM’s website, the agency now explains they hired a company to send out the notifications to people whose personal information was compromised in the breach. Clicking on an “Enroll Now” link would direct to a site where the person was asked to enter his or her personal information in order to receive credit-monitoring services.

The Army’s second, corrective bulletin reminded recipients that Defense Department personnel are routinely told, “Never respond to an e-mail with your personal information attached.”

Even after determining the OPM emails were legitimate, the Army appeared to suggest that enrolling in the credit-monitoring service via email links to the third-party website might not be safe.

“Legitimate sources usually will not require you to provide your personal information in an e-mail and you should normally report the matter to your security manager if they do,” the updated alert stated.

“Even though USACIDC & OSI offices have determined the email to be legitimate, it may be a good idea to contact the sender and transmit the information requested personally with an individual from the OPM office directly.”

In an emailed statement, OPM agency spokesperson Sam Schumach said: “OPM understands things could have gone better, but ultimately I think we’re satisfied with the end result and our partnership with [credit-monitoring firm] CSID, because we do have a 98 percent contact rate and 21 percent take-up rate, which is unprecedented in terms of a breach like this.”

The Defense Department referred questions to the division of the Army that published the weekly report containing the updated phishing alert.  On Tuesday, an employee of the division told The Intercept to wait for a return call.

Caption: Katherine Archuleta, director of the Office of Personnel Management, speaks during a hearing of the Senate Homeland Security and Governmental Affairs Committee on Capitol Hill June 25, 2015 in Washington, DC. 

Join The Conversation