Governance & Risk Management , Incident & Breach Response , Managed Detection & Response (MDR)
4 Million Federal Workers' PII ExposedChinese Reportedly Behind Hack of OPM Computers
The U.S. Office of Personnel Management is notifying 4 million current and former federal government employees that their personally identifiable information may have been exposed by a breach of its IT systems that the government discovered in April.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
Several news outlets, citing government officials, say the hack originated in China. Neither OPM nor the Department of Homeland Security would confirm that China was behind the breach.
DHS spokesman S.Y. Lee said on June 4 the government's Einstein intrusion detection system discovered in April a potential compromise of federal PII using newly identified cyber indicators. Cyber-incident response teams from the department's United States Computer Emergency Readiness Team were dispatched to identify the scope of the potential intrusion and mitigate any risks identified. In May, Lee said, U.S.-CERT confirmed the breach. The FBI has launched an investigation into the incident.
Chris Wysopal, chief technology officer of the application security firm Veracode, says the government seemed slow to react to the detection of the breach. "Detection is only effective when there are processes or people who can respond to the alarms," Wysopal says. "We saw in the Target breach that an intrusion detection system did sound the alarm, but it wasn't acted on. This is a problem with over reliance on detection. It is difficult to weed out real alarms from the noise and have adequate responses."
Sen. Johnson: OPM Must Do a Better Job
The chairman of the Senate panel with government IT security oversight says he is disturbed that hackers could have stolen sensitive personal information on a huge number of current and former government employees, especially if the Chinese pilfered the data. "It is even more troubling that this is only the latest in a series of cyberattacks on the Office of Personnel Management," said Sen. Ron Johnson, the Wisconsin Republican who chairs the Homeland Security and Governmental Affairs Committee. "OPM says it has undertaken an aggressive effort to update its cybersecurity posture. Plainly, it must do a better job, especially given the sensitive nature of the information it holds."
Last July, OPM and DHS issued statements saying "a potential intrusion" of the OPM network occurred in March 2014. At the time, they said no PII was exposed (see U.S. Government Personnel Network Breached ).
OPM Institutes New Safeguards
OPM said since confirming the breach, it has instituted additional network security precautions, including limiting remote access for network administrators and restricting remote network administration functions, as well as reviewing all links to ensure that only legitimate business connections have access to the Internet. OPM also says it's deploying anti-malware software to prevent the deployment of tools that could compromise its network.
But one security expert says the additional protections are too little, too late. "Congratulations, four months later and your state-of-the-art technology has notified you that security and protection has been treated as an after-the-fact afterthought." says Richard Blech, chief executive of the security firm Secure Channels.
Speaking on conditions of anonymity because of the continuing investigation, U.S. officials told the Washington Post that the exposed data might have included employees' job assignments, performance ratings and training but not background or clearance investigations information.
In an interview with the Post, OPM Chief Information Officer Donna Seymour characterized the agency as a high-value target. "We have a lot of information about people, and that is something that our adversaries want," she said.
It's a point expanded on by Mark Bower, global director at the security firm HP Security Voltage: "Knowing detailed personal information, past and present, creates possible cross-agency attacks given job history data, which appears to be in the mix. It's likely this attack is less about money, but more about gaining deeper access to other systems and agencies which might even be defense or military data, future economic strategy data, foreign political strategy and sensitive assets of interest at a nation-state level for insight, influence and intellectual property theft."
OPM Offers Credit Monitoring, ID Theft Insurance
OPM said the agency is offering credit monitoring services and identify theft insurance to affected individuals. "Protecting our federal employee data from malicious cyber incidents is of the highest priority at OPM," OPM Director Katherine Archuleta said. "We take very seriously our responsibility to secure the information stored in our systems, and in coordination with our agency partners, our experienced team is constantly identifying opportunities to further protect the data with which we are entrusted."