Five months after the OPM theft of federal employee data, our government may have arisen from its snoozing long enough to attempt to do something for the 21.5 million victims of the data breach. They are out-sourcing it! Yes, they are doing the same same thing that no doubt led to the breach, which was outsourcing admins all over the planet and giving them root, which are the keys to the cookie jar.
A company called I.D. Experts just got a sumptuous contract to provide three years of data and credit-protection insurance to the 21.5 million federal employees, and who knows, they might be quite competent. But they are providing quite basic services, things that cost $6-12 a month, and offer little protection against being blackmailed, compromised, or otherwise having problems because highly confidential data has been stolen.
Have we heard anything about how OPM plans to insure such attacks are never successful again? Well no, no we haven’t. Probably because they don’t have a clue and no extra money to upgrade computers.
Computer security should be handled by the government, not private companies, who may be outsourcing on their own. And there have been problems, as when a private company sent emails out to the victims, who thought it was a hack since it didn’t come from a dot gov address.
Notification by contractor “was definitely not part of the scope of work” of the contract, she added.
Security controls on the vendors’ own systems was a consideration during the vetting process, officials said.
Security on vendor systems should be a major consideration and need ironclad rules, routine audits, and strong enforcement.