No upside to OPM data breaches
In the weeks following the June 4 announcement by the U.S. Office of Personnel Management that it had discovered in April a large-scale security incident that had compromised the personal information of as many as 4 million current and former federal government employees, subsequent disclosures and updates about the incident paint a troubling picture of the poor security practices that facilitated the attack and delayed its discovery. First came the perhaps inevitable revelation that the impact from the incident was worse than initially reported, affecting not only federal employees but millions of former employees and contractors – potentially everyone who applied for a security clearance dating back to 2000, a group that OPM estimates at 21.5 million people.
The initial, smaller group of employees was slated to receive identity theft protection and other measures to help avoid future damage from the loss of their personal information. OPM quickly hired a contractor to assist in the employee notification effort, but in the rush to get the process started OPM apparently failed to consider how affected individuals would perceive email notifications directing them to a non-government site and asking for personal information. Many recipients believed the emails coming from contractor CSID were phishing attempts or raised concerns about providing personal information to the fraud protection companies OPM had engaged. The Army went so far as to warn its employees not to respond to such emails, categorizing them as an attack. OPM subsequently suspended the notifications to defense agencies (although they continued to go to civilian ones). Unfortunately for all concerned, notification emails about the OPM breach and follow-up actions affected individuals can take proved to be irresistible fodder for hackers, as news of phishing attacks surfaced from the U.S. Computer Emergency Response Team (US-CERT).
Aside from the generally unsatisfactory way OPM has handled its response to the data breach (notification to the broader group of security clearance applicants still has yet to begin), information OPM provided to Congress in testimony at a Senate hearing convened by the Appropriations Subcommittee on Financial Services and General Government revealed multiple failures in what should be considered basic information security practices. Perhaps most troubling was the indication by OPM Director Katherine Archuleta that the unauthorized access to OPM’s systems was achieved by compromising user credentials from a contractor, KeyPoint Government Solutions, that was itself the victim of a cyberattack resulting in a data breach of information on thousands of government employees. The implication is that after the intrusion into its contractor’s systems, OPM failed to disable or change credentials it had issued to KeyPoint personnel. Imagine a homeowner who has given a spare house key to his neighbor and, upon learning his neighbor’s house was robbed, chooses not to have his locks changed. The successful use of credentials issued to a contractor is reminiscent of other high-profile data breaches, including the theft of customer information from Home Depot and Target, where hackers first compromised a third party vendor to gain access to the primary target.