Last month, in the wake of a series of massive breaches at the federal Office of Personnel Management, the Army issued a bulletin warning that some victims were being hit by hackers a second time, this time with an email phishing campaign asking them to input personal information into a third-party website to receive credit monitoring.
Except it turns out the email in question was completely legitimate. It was sent en masse by the OPM contractor providing notification and credit-monitoring services to the agency’s hacking victims. Army and Air Force investigations of the “phishing scam” delayed by several days both victim notification and credit monitoring benefits to Defense Department personnel whose private information had fallen prey to OPM hackers. The emails notifying victims and linking to information about the monitoring only went through after spam filters were reset.
The confusion over the credit-monitoring emails appears to reflect a larger lack of coordination among government agencies following the announcement of the breaches, the first of which compromised the data of 4.2 million people and the second of which the OPM has said effected some 22 million people.
The Army warned people away from opening the email providing notification and free credit monitoring in unequivocal terms. “In recent days, we’ve learned of a new phishing attack that attempts to draw the attention of recipients with the subject line, ‘Important Message from the U.S. Office of Personnel Management CIO,'” said a June 9 threat intelligence alert. The alert was quoted in the Army Weekly Protection Information Bulletin 5-11 June 2015, obtained by The Intercept.
The alert added that while the “phishing” emails purport to be from the Office of Personnel Management’s chief information officer, “users are actually directed to a fake website and asked to enter private information.”
“Close the message immediately and report it as spam to the Cyber Security Network Defense Team,” the alert ordered.
The Army attempted to correct its alert in a separate bulletin issued days later, in which it said that probes by the Army Criminal Investigative Division and the Air Force’s Office of Special Investigations had determined that OPM, not hackers, had actually sent the emails asking Defense Department employees to provide personal information via a third-party site. From the Army Weekly Protection Information Bulletin, June 5-11, 2015.
On the Frequently Asked Questions section of OPM’s website, the agency now explains they hired a company to send out the notifications to people whose personal information was compromised in the breach. Clicking on an “Enroll Now” link would direct to a site where the person was asked to enter his or her personal information in order to receive credit-monitoring services.
The Army’s second, corrective bulletin reminded recipients that Defense Department personnel are routinely told, “Never respond to an e-mail with your personal information attached.”
Even after determining the OPM emails were legitimate, the Army appeared to suggest that enrolling in the credit-monitoring service via email links to the third-party website might not be safe.
“Legitimate sources usually will not require you to provide your personal information in an e-mail and you should normally report the matter to your security manager if they do,” the updated alert stated.
“Even though USACIDC & OSI offices have determined the email to be legitimate, it may be a good idea to contact the sender and transmit the information requested personally with an individual from the OPM office directly.”
In an emailed statement, OPM agency spokesperson Sam Schumach said: “OPM understands things could have gone better, but ultimately I think we’re satisfied with the end result and our partnership with [credit-monitoring firm] CSID, because we do have a 98 percent contact rate and 21 percent take-up rate, which is unprecedented in terms of a breach like this.”
The Defense Department referred questions to the division of the Army that published the weekly report containing the updated phishing alert. On Tuesday, an employee of the division told The Intercept to wait for a return call.
Caption: Katherine Archuleta, director of the Office of Personnel Management, speaks during a hearing of the Senate Homeland Security and Governmental Affairs Committee on Capitol Hill June 25, 2015 in Washington, DC.
IT’S EVEN WORSE THAN WE THOUGHT.
What we’re seeing right now from Donald Trump is a full-on authoritarian takeover of the U.S. government.
This is not hyperbole.
Court orders are being ignored. MAGA loyalists have been put in charge of the military and federal law enforcement agencies. The Department of Government Efficiency has stripped Congress of its power of the purse. News outlets that challenge Trump have been banished or put under investigation.
Yet far too many are still covering Trump’s assault on democracy like politics as usual, with flattering headlines describing Trump as “unconventional,” “testing the boundaries,” and “aggressively flexing power.”
The Intercept has long covered authoritarian governments, billionaire oligarchs, and backsliding democracies around the world. We understand the challenge we face in Trump and the vital importance of press freedom in defending democracy.
We’re independent of corporate interests. Will you help us?
IT’S BEEN A DEVASTATING year for journalism — the worst in modern U.S. history.
We have a president with utter contempt for truth aggressively using the government’s full powers to dismantle the free press. Corporate news outlets have cowered, becoming accessories in Trump’s project to create a post-truth America. Right-wing billionaires have pounced, buying up media organizations and rebuilding the information environment to their liking.
In this most perilous moment for democracy, The Intercept is fighting back. But to do so effectively, we need to grow.
That’s where you come in. Will you help us expand our reporting capacity in time to hit the ground running in 2026?
We’re independent of corporate interests. Will you help us?
I’M BEN MUESSIG, The Intercept’s editor-in-chief. It’s been a devastating year for journalism — the worst in modern U.S. history.
We have a president with utter contempt for truth aggressively using the government’s full powers to dismantle the free press. Corporate news outlets have cowered, becoming accessories in Trump’s project to create a post-truth America. Right-wing billionaires have pounced, buying up media organizations and rebuilding the information environment to their liking.
In this most perilous moment for democracy, The Intercept is fighting back. But to do so effectively, we need to grow.
That’s where you come in. Will you help us expand our reporting capacity in time to hit the ground running in 2026?
We’re independent of corporate interests. Will you help us?
Contact the author:
Latest Stories
Meet the Four Democrats Who’ll Decide If Trump Gets His Domestic Spying Law
“It all comes down to those four,” said an advocate, “and if they are going to continue to try to hand Trump warrantless surveillance.”
CIA Ran MK-ULTRA Experiments on Prisoners of War in U.S. Custody, Declassified Docs Confirm
For the first time, documents confirm the CIA carried out tests on North Korean POWs and planned for much more invasive experimentation.
Kash Patel Got Arrested for Public Urination After a Night of Drinking
The FBI director was arrested twice in his youth for alcohol-related incidents that he said were “not representative of my usual conduct.”