“The U.S. Office of Personnel Management (OPM) recently became aware of a cybersecurity incident affecting its systems and data that may have exposed the personal information of Federal personnel. Since the incident was identified, OPM has partnered with the U.S. Department of Homeland Security’s U.S. Computer Emergency Readiness Team (US-CERT) to determine the impact to Federal personnel. OPM immediately implemented additional security measures and will continue to improve the security of the sensitive information it manages.”
On Thursday, June 4, the Office of Personnel Management, which essentially serves as the federal government’s human resource department, announced that it had suffered a massive data breach.
The personally identifiable information (PII) of over 4 million current and former federal employees had been taken. According to OPM, the breach began in December of 2014, and was discovered in April of this year. The time that elapsed from discovering the breach to announcing it may be explained by continuing security concerns, but it easily could stem from pure embarrassment. After all, less than a year has passed since OPM was publicly attributing another breach to Chinese attackers.
A number of sources are attributing the latest breach to China, and interestingly, China’s relatively perfunctory denial amounts to “prove it.” But the source of the attack is not the primary concern. It comes as little surprise that there are pernicious, enduring cyber threats that are continuously seeking to exploit cyber defenses. The issue is just how poorly OPM seems to have defended the sensitive information it held.
Apparently none of the data taken from OPM was encrypted. Encryption would have dramatically lowered the value of the data. Given the earlier breach, and the fact, as reported by The Washington Post, OPM was warned that it had major cybersecurity deficiencies, it would seem encryption would have been a logical way to address its vulnerability.
In a press release announcing the latest breach, OPM said, “Since the intrusion, OPM has instituted additional network security precautions, including: restricting remote access for network administrators and restricting network administration functions remotely; a review of all connections to ensure that only legitimate business connections have access to the Internet; and deploying anti-malware software across the environment to protect and prevent the deployment or execution of tools that could compromise the network.” More than one person affected by the breach has wondered just why those precautions are being taken only now, when they seem to be fairly basic and would have been expected.
No doubt OPM will be given great opportunity to troop to Capitol Hill and discuss in agonizing detail what it did and did not do that factored into this latest data breach. We can all learn from the details. But the prudent observer should already be taking steps to ensure that critical information held by an organization is encrypted and protected by relatively cost-effective measures like multi-factor authentication and encryption.
____________________
By Tom Davis, SDI Cyber Risk Practice
SDI #CyberTuesday offers insights and commentary on cyber risk management by SDI’s trusted cybersecurity, privacy and data security experts, skilled practitioners whose decades of experience working for governments and corporations around the world distinguish them as strategists and crisis managers.
You can view previous blog posts on cyber risk management here.
June 9, 2015