The Office of Personnel Management, a 6,000-person independent agency that is the beating heart of the US government’s civil service, admitted Thursday that its computer network had been compromised and data on some 4 million federal employees stolen by unidentified hackers.
The OPM issued a statement saying it had "identified a cybersecurity incident potentially affecting personnel data for current and former federal employees, including personally identifiable information." The agency will notify approximately 4 million individuals whose personal information may have been compromised, the statement read.
The compromise was discovered in April after OPM deployed what it described as "numerous tools and capabilities to its networks" with a goal of updating "its cybersecurity posture." The intrusion predated the adoption of the tougher security controls, the agency said.
The attack fits with a pattern of other recent breaches at organizations known for harboring rich data on large groups of people. In recent months, compromises at a health networks Anthem Healthcare, Premera Blue Cross, and Community Health Systems led to the theft of personally identifying information on close to 100 million individuals.
While the data in those attacks can't be used to quickly make bogus credit card purchases, for example, it would useful for a range of follow-on crimes, from financial and medical identity theft to targeted “spear phishing” attacks. That is a marked change of form from the cyberattacks on point of sale systems and retailers such as Target and Home Depot that have dominated the headlines in recent years.
“This is definitely where the trend is going,” says Eric Chiu, president of the California security firm HyTrust. “The ramifications are huge.”
He says that credit card data taken in many criminal hacks is "low hanging fruit. And credit card numbers are a lot less valuable today, because credit card companies can respond quickly and shut the cards down.”
In contrast, a stolen Social Security Number cannot be changed and personal information that can be used to protect account information is – by its very nature – static. “You can take over an identity and open 10 accounts and charge up a storm,” said Chiu.
Because OPM acts as the human resources department for the entire federal government, the possible theft of so much personnel data impacts almost every corner of the government, providing whomever gained access to OPM’s network with the means to carry out both sophisticated and targeted “phishing” attacks against federal employees, but also online and real-world identity theft.
Mark Graff of the consulting firm TellaGraff was likely among those whose personal information was exposed in the breach. A nine-year employee of Lawrence Livermore National Laboratory, Mr. Graff interviewed with OPM personnel on numerous occasions to obtain and update the high-level government security clearances required for his work.
Graff said he had not received any notification from the government about whether his personal information was among that stolen by the hackers. But Graff, who served as Lawrence Livermore's chief information security officer, said he is assuming the worst.
He said the breach was "disturbing" and possibly one of the most damaging in the history of cyberespionage against the US. That's especially true if it turns out that malicious hackers got access to the highly personal and potentially damaging information collected by OPM as part of the security clearance screening process.
"You're talking about secrets that involve other people – information about failed businesses, money troubles, lovers," said Graff. "If the Chinese wanted to go to war with the US, they would have the ability to sow confusion and stress within the Intelligentsia in the US," he said.
OPM said that its investigation of the breach is on going and that exposures may come to light; in that case, OPM will conduct additional notifications as necessary. The agency is offering any current or past federal employees free credit report access, credit monitoring, and identify theft insurance and recovery services.
Details of the breach or its discovery are still cursory. Citing unnamed officials with knowledge of the investigation, the Washington Post reported Thursday that hacking crews based in China are believed to be behind the incident. The attack targeted OPM servers hosted at the Interior Department. Chinese officials have denied involvement in the attack.
OPM has a history of technical woes, including lax risk management practices around IT projects and outdated, paperbound processes. A series of Government Accountability Office (GAO) reports stretching back a decade documents a long list of IT management weaknesses at OPM. Among them: the overhead of outdated “legacy” computer hardware and software, processes that still rely in part on hard copy (paper) documents, as well as a muddled process for identifying and tracking project risks and mitigation strategies.
According to a 2012 report, OPM maintains more than 80 different systems to manage connections to around 400 separate personnel and financial systems located at agencies throughout the federal government.
Recently, however, the agency appears to have turned a page – at least when it comes to cybersecurity. Among other things, OPM contracted with the firm CSG Invotas to implement what it described as a security automation platform designed to spot malicious or suspicious activity on its network.
“We've changed our perspective about how cybersecurity works,” said OPM director of IT Security Jeff Wagner in a March interview with Federal News Radio “I go by visibility and create security controls that let me know when things are not the way they are supposed to be. I look for behavior changes," he said.
After discovering evidence of a compromise with Invotas, OPM is believed to have worked with the Department of Homeland Security and the FBI to investigate it further.
The possibility that a nation-backed hacking group is responsible is indeed worrying. Groups such as this can use information stolen from the OPM systems to craft convincing “spear phishing” e-mails to current or former federal employees with access to critical systems.
And federal agencies should be concerned about the possibility of the information being used to craft false documents that would allow a malicious actor to gain physical access to sensitive federal facilities, according to Chiu of HyTrust.
Chris Wysopal, the chief technology officer of the firm Veracode, said that the theft of so much data suggests that detection of the breach was either very delayed or insufficient to the threat.
“Detection is only effective when there are processes or people who can respond to the alarms … . This is a problem with over reliance on detection. It is difficult to weed out real alarms from the noise and have adequate responses,” Wysopal wrote in an e-mail statement.
OPM has been the target of hackers before.
It was involved in a series of attacks in 2014 against OPM and the US Investigations Services, a government contractor who helps conduct security clearances. Recent attacks have also targeted employee files at the Postal Service as well as the White House. The coincidence of a second breach, so soon after the earlier compromise, raises the question of whether OPM was successful in elimination access to its networks following the discovery of the previous attack.
Companies and large organization still devote most of their security resources to defending networks from external attack, said Chiu. That means once an attacker gets access within a network environment, there is “little or no security on the inside stopping them.”