WASHINGTON — Credit unions serving federal employees are now on heightened alert following revelations of a huge data breach at the U.S. Office of Personnel Management (OPM).
The government's human resources agency recently reported some of its data was breached by hackers American officials believe to be based in China with ties to the Chinese government.
Now the largest federal workers union claims that the attack on OPM, which released a trove of personal and sensitive information of millions of active and retired government workers, was even worse than previously thought.
J. David Cox, president of the American Federation of Government Employees (AFGE), which represents 670,000 workers in the federal government as well as the municipal government of Washington wrote in a letter to OPM Director Katherine Archuleta that hackers likely pilfered addresses, birth dates, military records, veterans' status information, job and pay history data, as well as information on health insurance, life insurance, and pensions.
Even more alarming, Cox warned that the Social Security Numbers of government employees were apparently not protected with encryption algorithms, which is the normal security measure for such sensitive information. The union leader blasted the compromised security as "absolutely indefensible and outrageous."
Credit unions that cater to federal workers are already reaching out to members whose data may have been part of the breach seeking not only to help them as they try to mitigate any damage done, but also ensuring them that the CUs' data is secure.
For example, the $346-million Department of Commerce FCU advised its membership to"monitor financial account statements and immediately report any suspicious or unusual activity to financial institutions."
Late last week, the $162-million Department of the Interior FCU assured that its member data was in "no way associated with the recent security breaches of the U.S. Government. All members' financial data continues to be secure and not at risk," adding that the credit union "has its own network and is not linked to any of the U.S. government's systems."
A member representative at the $38-million Government Printing Office FCU said it was not affected by the data breach, while a member representative at the $173-million Treasury Department FCU said individuals concerned about the hacking incident should monitor their accounts and report any suspicious activity to the credit union immediately. Treasury also noted that it could close or block accounts in the event of major incidents of identity theft.
Similarly, a member service representative at the $58-million White House FCU said its members were not impacted by the OPM incident, while assuring that any unusual activity should be reported to the institution as soon as possible to avert any calamity.
John McKechnie, a partner at Total Spectrum of Washington and a former senior official at the National Credit Union Administration (NCUA), told Credit Union Journal that the government data breach is an "unfortunate sign of the times" and should serve as a reminder that no sector of American society is immune from data breaches.
"Credit unions with a federal employee focus should pay very close attention to the OPM guidelines that detail what steps are being taken to notify individuals of compromised personal information, and work with those members to mitigate the situation," he said. "Fortunately this incident gives credit unions an opportunity to do what credit unions do best: help their members."
Bill Hampel, CUNA chief economist and chief policy officer, told Credit Union Journal that the biggest threats to credit union members who are federal employees would be identity theft if account information was not released. However, if account information was also disclosed, and the hackers gained their account information (i.e, direct deposit data, which the vast majority of CU members have), it could also lead to misuse of existing funds.
"I think credit unions should instruct their members to check their account information online more frequently than they normally do and if they see anything amiss to contact them, immediately," Hampel said. "The acquisition of personal data could also conceivably lead to the crooks trying to open up fraudulent accounts — so they also should be vigilant about that."
For its part, NAFCU noted that because credit unions have already been on the front lines of helping members mop up the mess left behind when big retailers have suffered data breaches, CUs already have strong processes in place to work with members after such events.
On Friday, the White House confirmed that hackers may have breached U.S. government personnel records more than once, accessing data on employee background investigations.
The latest hack may have affected "information related to the background investigations of current, former and prospective federal government employees," according to a White House statement.
Meanwhile, the OPM, in tandem with the Department of Homeland Security's U.S. Computer Emergency Readiness Team (US-CERT) and the FBI, are assessing the total impact of the breach upon federal employees. OPM has also pledged to mitigate the risk of fraud and identity theft by offering affected individuals credit monitoring services and identity theft insurance.