News sources around the country are reporting that the Office Of Personnel Management was breached and it likely was breached for a long time. The OPM provides HR services for executive branch agencies and provides services like doing security background checks for the DoD and others. The OPM is releasing very few details at this point other than the breach is affecting a little over 4 million people.
The OPM issued a press release announcing the breach but giving very few details. For example, they are not saying when it started or exactly what data was taken. Hopefully, that will be released.
What they did say is that they have been working over the last year to improve their cyber security and as a result, in April 2015, they became aware of the breach. How long the hackers were in there is unclear.
You may remember that OPM was hacked last year (see NY Times article) and there were concerns that the eQIP database, which stores very personal information on contractors and employees who have applied for security clearances was hacked.
In addition, OPM contractor Keypoint Government Solutions (see article) was hacked and hackers got away with about 48,000 records. Keypoint is still a vendor to OPM.
Also last year, USIS, another background check vendor, was actually fired over a similar breach. They lost contracts valued at $2.6 billion as a result of this breach (see post), forcing them to lay off 2,500 employees and coming close to bankruptcy.
The government is attributing the breach to China; China is not exactly denying it. China’s foreign ministry said that it is very hard to prove who is responsible for a cyber attack. At least they hope so. You may remember that President Obama attributed the Sony attack to China and people, including me, said how do you know. It finally came out that we had hacked North Korea and were inside their networks for years, so we probably did know. Is the same true for China? No one is saying. Yet.
What does this mean for you and me?
It means that hackers are going to go where the data is and one fallout as organizations collect more and more data, is that they become bigger targets for hackers.
I remember when I worked for a defense contractor many years ago and applied for a clearance, I filled out a form in pen and a typist typed up a final copy, which was mailed to Washington. The only way hackers could hack the OPM then, was to break into the OPM offices in Washington. That likely would result in the hackers being shot and killed, a less pleasing outcome. In addition, to steal data on 4 million people would likely require a semi tractor trailer backed up to the OPM offices for hours if not days, something that would likely be noticed.
Process improvements don’t always take security into account. For example, was the data at OPM encrypted? If so, conceptually, was the key stored on a hook by the door. Likely. This means that if they got an authorized user’s credentials, the fact that the data was encrypted doesn’t help.
This will, predictably, several events –
Some Congress critters will say how terrible the President is that he allowed the Chinese in. Of course, the buck stops here, at the Oval Office, but it is not like companies all over the world are not being attacked. Some are Republican, some are Democratic. This is not a political affiliation problem.
The FBI will probably say that if only they had the ability to read your secure communications that this would not have happened. Hopefully they won’t since this did not start in the U.S. If they said that if only they could see all Chinese communications, then they might be right.
For defense contractors, they may see more and deeper security audits. This is no fun for defense contractors.
Ultimately, until we start taking cyber security seriously (remember that people’s top two favorite passwords are 123456 and password), nothing is likely to change.
So, as I lately have been saying – security or convenience – pick one.
Common cyber hygiene does make it harder – not impossible. Install patches, don’t click on links in emails. Hang up on the guy on the phone who calls and says, in a thick foreign accent, that he is from the computer support department and he is here to help you.
There is no simple answer. Sorry.