What does it say about government agencies if the office in charge of handling information for federal employees suffers a hack deep enough to compromise the private information of more than 4 million people?
That’s the question Congress, as well as the leadership of the Office of Personnel Management (OPM), grappled with in the wake of a data breach that reached back to 2012.
A report released Sept. 7 by the Republican-led House Oversight and Government Reform Committee took the OPM leadership to task for failing to adequately protect their systems. The report was based on a year-long investigation into the breach, according to Federal News Radio.
This being Washington, there’s some partisanship at play here, but ultimately the public discussion of the attack and how OPM plans to ensure this doesn’t happen again has lessons for businesses and leaders beyond the Beltway.
From the report:
“In what appears to be a coordinated campaign to collect information on government employees, attackers exfiltrated personnel files of 4.2 million former and current government employees and security clearance background investigation information on 21.5 million individuals,” including fingerprint data from 5.6 million people.
On March 20, 2014, the first alert came — someone was pulling OPM data from deep inside the network, Krebs on Security explains. OPM leadership engaged in a monitoring strategy to learn more about the hacker. But, according to the report, this strategy assumed they had correctly identified the source of the problem. They hadn’t.
In May of that year, someone posing as an employee of an OPM contractor hired to do background research used legitimate credentials to log into the OPM system and install malware that opened a backdoor into the OPM network.
OPM found the first hacker, and thought they had mitigated the threat. But they didn’t find the second one until about a year later. Investigations show the first access may have come as early as 2012, according to the House committee.
By the time both threats were discovered, personnel records, including background investigations for security clearance and fingerprint data, had been swiped.
In just one example of the impact of this attack, the Central Intelligence Agency recalled officers from Beijing for fear the attack, tied back to the Chinese, might expose the identity of spies, according to the Washington Post.
A measure as simple as two-factor authentication could have mitigated the attack, the Congressional panel found, but OPM didn’t adopt that requirement for remote logins until 2015. And that was just one suggestion. The Congressional report also called for better vetting of agency personnel and the CIO.
In their original response to the breach, back in 2015, OPM leadership outlined the steps taken to ensure this doesn’t happen again. And therein lies a lesson for every business. The OPM laid out 23 steps that they are currently implementing.
Among the suggestions:
- Enhance oversight of outside contractors, with detailed documentation for doing so.
- Limit the number of privileged users and how long they can log into the system, and track all of their system activity
- Hire a dedicated IT portfolio manager to handle all “security and performance requirements”
- Cybersecurity training for every employee, mandated
- Centralize cybersecurity management in the CIO’s office
While many of us may not draw the attention of foreign cyber-espionage hackers, the measures, and the warnings, are good practice for everyone worried about cybersecurity — which should be all of us.