Massive Data Breach At Federal Government Agency Exposes Sensitive Data of Government Workers
Tuesday, June 16, 2015
Numerous media outlets have reported about the massive data breach at the Office of Personnel Management (OPM) where the personnel records of 14 million current and former federal employees were accessed. The original breach notification mentioned 4 million personnel records, but several news reports mentioned the higher 14 million figure. Several facts highlight the extreme seriousness of this data breach.
First, the OPM announced in its FAQ page that the data elements accessed and/or stolen included full names, Social Security Numbers, date of birth, place of birth, current residential address, and former residential addresses. The personnel records also included items:
"... such as job assignments, training records, and benefit selection decisions, but not the names of family members or beneficiaries and not information contained in actual policies..."
The OPM began in early June to notify breach victims. The OPM announced on June 4, 2015 several resources and tips for breach victims to protect themselves. These resources and tips were standard items, such as check credit reports for fraud, online FTC resources to combat identity theft and fraud, be suspicious of phone spam, place Fraud Alerts on credit reports, and don't disclose personal information over the phone nor on the Internet. Also, the OPM has arranged complimentary credit monitoring services via CSID for breach victims.
Second, the breach occurred in December 2014, and the OPM discovered it in April 2015. The OPM has been working with the U.S. Department of Homeland Security’s Computer Emergency Readiness Team (US-CERT), and the Federal Bureau of Investigation (FBI) to determine the full impact of the breach.
Third, the OPM announced on June 15 that the breach was wider than first thought:
"Through the course of the ongoing investigation into the cyber intrusion that compromised personnel records of current and former Federal employees announced on June 4, OPM has recently discovered that additional systems were compromised. These systems included those that contain information related to the background investigations of current, former, and prospective Federal government employees, as well as other individuals for whom a Federal background investigation was conducted."
Fourth, the data stolen was more extensive than first thought. Federal Times reported on June 16 that the data breach:
"... might have led to the loss of all personnel data for federal employee and retirees, according to the American Federation of Government Employees. Union President J. David Cox said that the data breach – which took place in 2014 but was only discovered in April – means that hackers now have federal employee and retiree social security numbers, military records, insurance information, addresses and a wealth of other personal details."
While the data was not encrypted, officials stated that encryption would not have stopped the hackers. Clearly, more information about the breach will continue to surface. Fifth, many news reports have focused upon the alleged hackers and international espionage:
"Hackers working for the Chinese state breached the computer system of the Office of Personnel Management in December, U.S. officials said Thursday... It was the second major intrusion of the same agency by China in less than a year and the second significant foreign breach into U.S. government networks in recent months... One private security firm, iSight Partners, says it has linked the OPM intrusion to the same cyberespionage group that hacked the health insurance giant Anthem. The FBI suspects that that intrusion, announced in February, was also the work of Chinese hackers, people close to the investigation have said."
Many news reports have focused upon the alleged hackers' interest in gaining background information on government officials and covert operatives (e.g., spies):
"In the current incident, the hackers targeted an OPM data center housed at the Interior Department. The database did not contain information on background investigations or employees applying for security clearances, officials said... in March 2014, OPM officials discovered that hackers had breached an OPM system that manages sensitive data on federal employees applying for clearances. That often includes financial data, information about family and other sensitive details. That breach, too, was attributed to China, other officials said."
Interestingly, the actual breach notices by the OPM never mentioned China.
Sixth, the June 4 announcement by the OPM have been intentionally vague about exactly how hackers breached the agency's systems:
"Because cyber threats are evolving and pervasive, OPM is continuously working to identify and mitigate threats when they occur. OPM evaluates its IT security protocols on a continuous basis to make sure that sensitive data is protected to the greatest extent possible, across all networks where OPM data resides—including those managed by government partners and contractors."
Based upon what we know so far, it seems that several senior executives at OPM need to replaced. Ars Technica reported:
"House Oversight Chairman Jason Chaffetz (R-Utah) told [OPM Director Katherine Archuleta] and OPM Chief Information Officer Donna Seymour, "You failed utterly and totally." He referred to OPM's own inspector general reports and hammered Seymour in particular for the eleven major systems out of 47 that had not been properly certified as secure—which were not contractor systems but systems operated by OPM's own IT department. "They were in your office, which is a horrible example to be setting," Chaffetz told Seymour. In total, 65 percent of OPM's data was stored on those uncertified systems."
It is a tricky balance between disclosing too much (to aid hackers) versus disclosing too little (failing reassure the public). More needs to be disclosed so that the public is confident that adequate fixes have been implemented so a breach like this doesn't happen again. And, executives must be held accountable for the security failures.
The editor is quite right about the delicate balance between disclosing too much, which would aid the hackers or other hackers, and disclosing too little, so that the public has no confidence that government knows the problem and how to fix it. Notwithstanding that, I think that the U.S. Government knows how the almost certainly Chinese hackers breached their systems, but, for reasons of security, can't disclose how the breach was done. Perhaps one day, we will learn the sources and methods that the Chinese used to breach OPM's computers.
But for now, we must fix the computers: so that they cannot be further breached, so that we hold the persons, whose incompetence caused the breach, responsible for it, and so that our intelligence agencies, as I am sure they are already doing, contain and remedy the damages done to U.S. interests, particularly U.S. intelligence operations.
What is most significant for me are the implications for Hillary Clinton having run a private and inadequately secured personal email server to conduct her business as Secretary of State and to store our nation's most vital secrets. If we are going to discipline OPM's Director and CIO for their negligence OPM's computer systems, then shouldn't Hillary Clinton at least be held up to public opprobrium for her irresponsible conduct in using a private and unsecured email server for her official business as Secretary of State? And wouldn't it a stunning thing if the Chinese got into our government computer system as a result of compromising Hillary Clinton's personal email server?
The other major issue is how we deal with the Chinese for this virtual act of war. Are we entering a new cold war, a cyberwar, with China and Russia? War is very bad for business. If I were the CEO of any American firm that had a supply chain in China, I would be developing alternative sources of supply. And if I depend on China for any major part of my sales, I would be preparing to lose those revenues. I am talking to you Tim Cook.
Posted by: chanson de roland | Tuesday, June 16, 2015 at 09:30 PM
Roland:
Thanks for the comments. Yes, we are in a new cold war era where countries spy directly or indirectly through vendors on other countries' governments, leaders, and business executives. Remember the controversy in 2013 about alleged USA spying on our ally, German Chancellor Merkel?
If Secretary Clinton's server caused or facilitated a data breach, then of course she should be held to the same standard of accountability as OPM executives. That hasn't been proven.
Also, many politicians have lax attitudes towards email security. That doesn't make it right. My point: don't single out former Secretary Clinton. Instead, enforce it consistently... which hasn't been done. Remember this US history on list emails:
http://voices.washingtonpost.com/federal-eye/2010/08/new_report_details_loss_of_bus.html
And this:
http://www.politicususa.com/2014/06/28/republicans-attacking-obama-missing-irs-emails-caught-web-hypocrisy.html
And this:
http://www.salon.com/2015/03/12/the_george_w_bush_email_scandal_the_media_has_conveniently_forgotten_partner/
"The emails had been run through private accounts controlled by the Republican National Committee and were only supposed to be used for dealing with non-administration political campaign work to avoid violating ethics laws. Yet congressional investigators already had evidence private emails had been used for government business, including to discuss the firing of one of the U.S. attorneys."
Most of those 22 million "lost" Bush administration emails were later recovered, but the explanation was an IT mishandling error. Huh? Mishandling Presidential emails? I think not. While GOP Presidential candidates try to use emails as an issue against Dem Presidential candidate Clinton, I am reminded of the old saying: "people in glass houses shouldn't throw stones."
Nobody in Washington is clean on the issue of email handling. Nobody.
George
Editor
http://ivebeenmugged.typepad.com
Posted by: George | Tuesday, June 16, 2015 at 10:35 PM