APWU tells members: don’t trust USPS to store your health records

10/16/2015 – The APWU is discouraging union members from participating in a voluntary program established by the Postal Service that creates an online database of their health records, APWU President Mark Dimondstein has announced.

150623011649-us-china-data-breech-large-169“Last year’s cyber attack on the Postal Service demonstrates the danger in posting sensitive personal information in an online database maintained by management,” Dimondstein said. A 2014 breach of USPS records compromised the names, dates of birth, Social Security numbers, and addresses of workers and some retirees; information regarding OWCP records that were shared with the Department of Labor also exposed medical records, bank account and routing information.

This year, the Office of Personnel Management (OPM), the federal agency that manages the records of federal and postal retirees and current and former members of the military, also reported two major data breaches.

Management launched the voluntary online database of employees’ health records, now known as USPS Health Connect Portal, in early October.

“Based on our experience with the 2014 cyber attack, we urge union members to exercise caution,” Dimondstein said. “The APWU is fully committed to defending the privacy rights of our members and we encourage union members to be vigilant on their own behalf as well.”

GOP: Data breach much larger than OPM first admitted

Press release from the Republicans on the Senate Committee on Homeland Security and Governmental Affairs:

ronjohnson

Sen Ron Johnson R-WI

WASHINGTON – The Office of Personnel Management (OPM) and the White House on Thursday disclosed that the OPM data breaches revealed last month were far broader than the Obama administration has admitted: They involved an additional 21.5 million people, including federal employees’ spouses and children, and biometric data for 1.1 million employees.

In early June, the OPM revealed it had been the target of a breach affecting the personnel records of 4.2 million federal employees, only to reveal days later that a related breach affected an undisclosed number of far more sensitive files. Public reports later revealed that the FBI had suggested that number could be as high as 18 million people.

This data breach at the OPM affecting background investigations is only the most recently discovered of five data breaches at the agency over the past three years. It is significant both for its size — it is the largest data breach the federal government has ever announced — and for the data stolen, which was the most sensitive unclassified information the federal government holds on its employees. The loss of these records could endanger federal employees working in sensitive positions abroad as well as those employees’ families and friends. The loss may also make domestically stationed federal employees more susceptible to foreign influence.

Sen. Ron Johnson (R-Wis.), chairman of the Senate Committee on Homeland Security and Governmental Affairs, said, “The OPM has finally confirmed what the news media and the FBI have been saying about the data breach for the past month — this unprecedented hack was over five times what we were initially told. Today’s announcement shows not only that cybersecurity on federal agency networks has been grossly inadequate but that the management of the OPM is not up to the task of fixing the problem. The agency and the administration have not even been able to correctly define the scope of the problem. This will have grave consequences for national security.”

U.S. government hack could actually affect 18 million

Washington (CNN)The personal data of an estimated 18 million current, former and prospective federal employees were affected by a cyber breach at the Office of Personnel Management – more than four times the 4.2 million the agency has publicly acknowledged. The number is expected to grow, according to U.S. officials briefed on the investigation.

FBI Director James Comey gave the 18 million estimate in a closed-door briefing to Senators in recent weeks, using the OPM’s own internal data, according to U.S. officials briefed on the matter. Those affected could include people who applied for government jobs, but never actually ended up working for the government.

Source: U.S. government hack could actually affect 18 million – CNNPolitics.com

USPS loses another key IT executive

John T. Edgar

Federal News Radio reports that John T. Edgar, the postal service’s Vice President for Information Technology, has left to work in the private sector. Edgar is the second high ranking IT exec to leave the USPS in the wake of last year’s major data breach. Chief Information Security Officer Chuck McGann left the agency in November.

John Edgar departed from the Postal Service June 5 to work in the private sector. An email obtained by Federal News Radio stated Edgar, USPS’s vice president for IT, had led the IT division for the last four years and worked for the Postal Service the last 14 years.

Source: FAI, HHS get new execs; USPS loses key IT leader – FederalNewsRadio.com

Union says hackers got all personal data on every federal employee and retiree

opmThe President of the American Federation of Government Employees, J. David Cox, says that “hackers are now in possession of all personnel data for every federal employee, every federal retiree, and up to one million former federal employees”. The charge comes in a letter Cox sent today to OPM Director Katherine Archuleta, which also accuses OPM of not doing enough to help federal workers affected by the fiasco:

June 11, 2015

The Honorable Katherine Archuleta Director, OPM
US. Office of Personnel Management
1900 E Street, NW Washington, DC 20415

Dear Honorable Archuleta,

I am writing in reference to the data breach announced by the Office of Personnel Management (OPM). In the days since the breach was announced, very little substantive information has been shared with us, despite the fact that we represent more than 670,000 federal employees in departments and agencies throughout the Executive branch.

OPM has attempted to justify the withholding of information on the breach by claiming that the ongoing criminal investigation restricts your ability to inform us of exactly what happened, what vulnerabilities were exploited, who was responsible for the breach, and how damage to affected individuals will be compensated.

Based on the sketchy information OPM has provided, we believe that the Central Personnel Data File was the targeted database, and that the hackers are now in possession of all personnel data for every federal employee, every federal retiree, and up to one million former federal employees. We believe that hackers have every affected persons Social Security numbers), military records and veteransstatus information, address, birth date, job and pay history, health insurance, life insurance, and pension information; age, gender, race, union status, and more. Worst, we believe that Social Security numbers were not encrypted, a cybersecurity failure that is absolutely indefensible and outrageous.

The 18 months of credit monitoring and 1 million liability insurance that OPM has offered affected employees is entirely inadequate, either as compensation or protection from harm. At a minimum, OPM owes employees free lifetime credit monitoring and liability insurance that covers the entirety of any loss attributable to the breach.

Further, the fact that OPM has outsourced to a contractor, CSID, the responsibility for answering affected employeesquestions adds insult to injury. The terms of the contract apparently do not include guaranteed access to a living, breathing human being knowledgeable enough to answer questions. We ask that OPM reconsider this decision to provide such an inadequate half-measure. Federal employees who have been victimized by this breach deserve more than a difficultto-navigate website and call center contractors who do not know the answersto questions that go beyond a FAQ template.

At numerous agencies, employees are forbidden to use their government computers for any purpose other than a work assignment. They are forbidden from using their government computers to access personal emails or any non-workrelated websites for any reason. Clearly, federal employees dealing with this breach will need to use their computers on duty time to attempt to protect themselves from the effects of this breach. I ask that you coordinate the issuance of directives from the Secretaries of the relevant agencies that permits an exception to these prohibitions for the purpose of attempting to protect their personal information and financial security from the effects of this breach.

Finally, it is crucial that all agencies be instructed to meet their collective bargaining obligations related to this breach. AFGE will issue demands to bargain for represented workers, and we ask that you make certain that management is apprised of its responsibility to respond appropriately.

I understand that OPM is embarrassed by this breach. It represents an abysmal failure on the part of the agency to guard data that has been entrusted to it by the federal workforce. AFGE will continue to work to ensure that core functions of government agencies, such as protecting the security of databases like this one, are well-funded and performed by dedicated federal employees, not costly and unaccountable contractors. I look forward to working with you on this goal.

Sincerely yours,

J. David Cox, Sr. AFGE National President

APWU says postal retirees may have been affected by OPM data breach

There’s more confusion about the OPM data breach- an American Postal Workers Union official said today that postal retirees may have been affected by the breach. The report contradicts a statement made Friday by NARFE President Richard Thissen who says he was advised by OPM that retiree records were not compromised. Here’s the APWU statement:

apwudefault2Postal retirees may be among those affected by a breach in the computer system of the Office of Personnel Management (OPM), Retirees Department Director Judy Beard reports. OPM announced June 4 that the records of 4 million current and former federal employees were compromised in a cyber attack the agency discovered in April. that the records of 4 million current and former federal employees were compromised in a cyber attack the agency discovered in April.

Beginning June 8 and continuing through June 19, OPM will notify current and former employees via email that their records may have been compromised. Retirees whose email addresses are not on file with OPM will be contacted by mail.

Those affected will be offered credit monitoring for a period of 18 months, OPM said. The union encourages retirees to take advantage of the free credit-monitoring service.

For additional information, visit www.opm.gov, or call 844-222-2743.

“The APWU will pursue this intrusion to our members’ personal data to ensure they are fully protected under the law,” Beard said. The union is inquiring about the extent of the cyber attack as it relates to APWU retirees, she added.

“The APWU is committed to protecting the rights of our members, including the right to protect their personal information,” President Mark Dimondstein said.

The APWU and the other postal unions recently won the right to bargain with the Postal Service over a massive USPS data security breach that took place in 2014. The precedent-setting agreement was approved by the National Labor Relations Board.

For additional information from the Federal Trade Commission about how to respond to the OPM data breach, click here.

For additional information about how to protect yourself in the event of identity theft, click here.

Source: Postal Retirees May be Affected by OPM Data Breach | APWU

USPS says it doesn’t know if postal workers were affected by OPM breach

In a brief item posted on the USPS News Link site yesterday afternoon, the USPS said that it doesn’t know yet whether or not its employees were affected by the OPM data breach:

The personally identifiable information of approximately 4 million current and former federal employees was potentially compromised, according to OPM. The Postal Service doesn’t know if current or former postal employees were affected. From June 8-19, OPM will send notifications to all 4 million individuals whose information was potentially compromised.

The email will come from opmcio@csid.com and contain information regarding credit monitoring and identity theft protection services being provided to those federal employees affected by the data breach. If OPM doesn’t have an email address for an individual on file, a standard letter will be sent via the Postal Service.

Source: USPS News Link Story – OPM announces cybersecurity incident

NARFE: retiree records weren’t compromised in data breach

In a statement issued in response to the OPM data breach, National Active and Retired Federal Employee (NARFE) President Richard Thissen says he was advised by OPM that retiree records were not compromised in this week’s data breach. OPM handles benefits for retired postal workers:

“Last evening, I was informed directly by an official of the Office of Personnel Management (OPM) that the personnel records, including personally identifiable information (PII), of four million current and former federal employees were exposed to a cyberattack. NARFE is staying in close contact with OPM and the administration as they determine the extent of the data breach.

“I want to stress that we were told by OPM that retiree records, including those of spouses and survivors, were not compromised in this breach. The data accessed by the hackers was employment data. However, some of the individuals affected may no longer be employed by the federal government, whether they retired or left federal service.”

Source: National Active and Retired Federal Employees Association (NARFE)

APWU, Sister Postal Unions Win Right to Bargain Over Cyber Intrusions

06/02/2015 – In a precedent-setting agreement approved by the National Labor Relations Board, the APWU and its sister postal unions won the right to bargain with the Postal Service over a massive data security breach that took place in 2014.

The historic May 19 settlement marks a win for unions in a new area of labor-management contention: Management’s responsibilities to protect employees’ personal information in the digital age. The recent rash of data security breaches at government agencies and large private-sector companies makes the victory significant for workers far beyond those employed by the USPS.

“The settlement affirms the union’s right to bargain on behalf of our members to ensure that management takes appropriate steps to protect their privacy,” said APWU President Mark Dimondstein.

The APWU filed an Unfair Labor Practice charge against the Postal Service on Nov. 10, just days after learning of the cyber intrusion, citing the Postal Service’s refusal to bargain over management’s response to the breach and failure to respond to the union‘s request for information.

As a result of the intrusion into postal records, many employees’ Social Security numbers, addresses, dates of birth, and injury claim information were accessed over a period of months. The Postal Service decided unilaterally to offer employees one year of free credit reporting.

Upon learning of the breach from then-Postmaster General Patrick Donahoe, the APWU demanded that the Postal Service bargain over the issue. The APWU also sought information from management about the extent of the breach; what postal officials knew; when they knew it, and what they did or failed to do to protect employee information.

“The APWU is committed to protecting the rights of our members, including the right to have their personal information protected,” Dimondstein said.

The settlement agreement stipulates that:

  • The four postal unions (APWU, National Rural Letter Carriers Association, National Association of Letter Carriers, and National Postal Mail Handlers Union) will bargain jointly with the U.S. Postal Service over the impact and effects of the data breach.
  • A Notice to Employees must be posted on bulletin boards, Lite Blue, and read to employees at stand-up talks.
  • Bargaining will begin seven days after management receives notice from the unions of their desire to initiate talks.
  • The Postal Service must respond to requests for information within seven days of a request – either with the information or the date it will be provided.
  • The Postal Service will make “subject matter experts” on the breach available to the unions.
  • If the USPS fails to adhere to the terms of the settlement, the National Labor Relations Board (NLRB) may reissue complaints it filed against the Postal Service in April. The complaints were filed in response to unfair labor practice charges filed by the APWU and the other postal unions.

Source: APWU, Sister Postal Unions Win Right to Bargain Over Cyber Intrusions | APWU

USPS settles with NLRB on data breach complaint

From Politico:

POSTAL SERVICE SETTLES DATA BREACH LABOR CASE: The U.S. Postal Service agreed to settle an NLRB complaint alleging it refused to bargain with its unions over how to rectify a data breach that compromised personal information for hundreds of thousands of employees.

The issue was a novel one for the board, which, experts say, has rarely, if ever, considered whether employers have a duty to bargain with labor groups over data breaches. The settlement constitutes what is essentially an admission by the Post Office that it had a duty to negotiate with unions over how to address the breach. http://politico.pro/1PzoE6L

Source: POLITICO Morning Shift – POLITICO