Army flagged OPM breach notice as phishing attempt
Army officials wrongly flagged an email designed to help those affected by a recent data breach as a phishing attempt, one they initially said would point users to “a fake website” before repealing their warning.
Some soldiers and Army civilians were among the 4.2 million federal employees whose personal information may have been compromised in the Office of Personnel Management's April breach, which OPM announced in early June. As part of its response, OPM employed CSID, a private company specializing in identity protection, to offer a variety of monitoring services to affected workers.
CSID sent an email with a link to an application for those services, and the Army instructed all who received it to “close the message immediately and report it as spam to the Cyber Security Network Defense Team,” according to a warning posted on the Fort Meade, Maryland, Facebook page June 9.
The post was updated hours later to note the warning had been retracted. A similar Facebook warning from Fort Bragg, North Carolina, was deleted.
The Fort Meade post states that the warning stemmed from Installation Management Command’s operations center. An IMCOM spokesman said the warning initially came from the Army Threat Integration Center; a report published Tuesday by The Intercept quotes a June 9 ARTIC warning on the email in an Army-issued Weekly Protection Information Bulletin.
Further questions on the warning, its reversal and its distribution to the Army community were referred Wednesday to Army Public Affairs officials. They had not responded as of Thursday afternoon.
The email, a copy of which was posted along with the Fort Meade Facebook warning, has some traits that can serve as warning lights for a potential phishing operation, in which emailers attempt to gain access to private information by sending documents that appear to be from banks or other reputable agents:
- The sender, using a dot-com address, doesn’t match the federal agency represented in the subject line ("Important Message from the U.S. Office of Personnel Management CIO"), who would be more likely to send an email from a dot-gov address.
- The email includes a link that asks the recipient for personal information. Multiple anti-phishing publications carry warnings similar to the one found on OPM’s cybersecurity Web page: “Never click on links you don't trust and don't give out your personal information.”
- The email includes a clickable “Enroll Now” button for readers to access the fraud-protection service. Many anti-phishing guidelines include a warning to manually enter all URLs; follow-up versions of the email included the link text.
These warning lights may have been dimmed with a check of the OPM website, which at the time of the breach announcement included details on the upcoming communications federal employees would receive and frequent mentions of CSID as an authorized protection provider.
But Army recipients were told they were “being directed to a fake website and asked to enter private information,” per the Facebook warning. “In the event that you receive a message fitting this description, close the message immediately and report it as spam to the Cyber Security Network Defense Team."
And in the image accompanying the post: "If you see this email DO NOT RESPOND -- DELETE IT !!!!!"
Despite the Army red flag, OPM spokesman Sam Schumach said the notification effort’s success rate – 22 percent of the targeted workers signed up for the program – dwarfed that of similar responses to public- and private-sector hacks, which are often in the low- to mid-single digits.
Still, “there were things that could have gone better,” said Schumach, who said he did not know whether the Army reached out to OPM before issuing its phishing warning.
The email notification did not involve the second OPM breach, announced in early July, that may have exposed the personal data of more than 21.5 million people.