Numerous media outlets have reported about the massive data breach at the Office of Personnel Management (OPM) where the personnel records of 14 million current and former federal employees were accessed. The original breach notification mentioned 4 million personnel records, but several news reports mentioned the higher 14 million figure. Several facts highlight the extreme seriousness of this data breach.
First, the OPM announced in its FAQ page that the data elements accessed and/or stolen included full names, Social Security Numbers, date of birth, place of birth, current residential address, and former residential addresses. The personnel records also included items:
"... such as job assignments, training records, and benefit selection decisions, but not the names of family members or beneficiaries and not information contained in actual policies..."
The OPM began in early June to notify breach victims. The OPM announced on June 4, 2015 several resources and tips for breach victims to protect themselves. These resources and tips were standard items, such as check credit reports for fraud, online FTC resources to combat identity theft and fraud, be suspicious of phone spam, place Fraud Alerts on credit reports, and don't disclose personal information over the phone nor on the Internet. Also, the OPM has arranged complimentary credit monitoring services via CSID for breach victims.
Second, the breach occurred in December 2014, and the OPM discovered it in April 2015. The OPM has been working with the U.S. Department of Homeland Security’s Computer Emergency Readiness Team (US-CERT), and the Federal Bureau of Investigation (FBI) to determine the full impact of the breach.
Third, the OPM announced on June 15 that the breach was wider than first thought:
"Through the course of the ongoing investigation into the cyber intrusion that compromised personnel records of current and former Federal employees announced on June 4, OPM has recently discovered that additional systems were compromised. These systems included those that contain information related to the background investigations of current, former, and prospective Federal government employees, as well as other individuals for whom a Federal background investigation was conducted."
Fourth, the data stolen was more extensive than first thought. Federal Times reported on June 16 that the data breach:
"... might have led to the loss of all personnel data for federal employee and retirees, according to the American Federation of Government Employees. Union President J. David Cox said that the data breach – which took place in 2014 but was only discovered in April – means that hackers now have federal employee and retiree social security numbers, military records, insurance information, addresses and a wealth of other personal details."
While the data was not encrypted, officials stated that encryption would not have stopped the hackers. Clearly, more information about the breach will continue to surface. Fifth, many news reports have focused upon the alleged hackers and international espionage:
"Hackers working for the Chinese state breached the computer system of the Office of Personnel Management in December, U.S. officials said Thursday... It was the second major intrusion of the same agency by China in less than a year and the second significant foreign breach into U.S. government networks in recent months... One private security firm, iSight Partners, says it has linked the OPM intrusion to the same cyberespionage group that hacked the health insurance giant Anthem. The FBI suspects that that intrusion, announced in February, was also the work of Chinese hackers, people close to the investigation have said."
Many news reports have focused upon the alleged hackers' interest in gaining background information on government officials and covert operatives (e.g., spies):
"In the current incident, the hackers targeted an OPM data center housed at the Interior Department. The database did not contain information on background investigations or employees applying for security clearances, officials said... in March 2014, OPM officials discovered that hackers had breached an OPM system that manages sensitive data on federal employees applying for clearances. That often includes financial data, information about family and other sensitive details. That breach, too, was attributed to China, other officials said."
Interestingly, the actual breach notices by the OPM never mentioned China.
Sixth, the June 4 announcement by the OPM have been intentionally vague about exactly how hackers breached the agency's systems:
"Because cyber threats are evolving and pervasive, OPM is continuously working to identify and mitigate threats when they occur. OPM evaluates its IT security protocols on a continuous basis to make sure that sensitive data is protected to the greatest extent possible, across all networks where OPM data resides—including those managed by government partners and contractors."
Based upon what we know so far, it seems that several senior executives at OPM need to replaced. Ars Technica reported:
"House Oversight Chairman Jason Chaffetz (R-Utah) told [OPM Director Katherine Archuleta] and OPM Chief Information Officer Donna Seymour, "You failed utterly and totally." He referred to OPM's own inspector general reports and hammered Seymour in particular for the eleven major systems out of 47 that had not been properly certified as secure—which were not contractor systems but systems operated by OPM's own IT department. "They were in your office, which is a horrible example to be setting," Chaffetz told Seymour. In total, 65 percent of OPM's data was stored on those uncertified systems."
It is a tricky balance between disclosing too much (to aid hackers) versus disclosing too little (failing reassure the public). More needs to be disclosed so that the public is confident that adequate fixes have been implemented so a breach like this doesn't happen again. And, executives must be held accountable for the security failures.