The U.S. Office of Personnel Management (OPM) disclosed that it was the victim of a data breach that may have compromised the personal information of approximately 4 million current and former federal employees.
Multiple media reports have alleged that unnamed government sources have cited China as the source of the hack, while Chinese officials have denied the allegations.
“Within the last year, OPM has undertaken an aggressive effort to update its cyber-security posture, adding numerous tools and capabilities to its networks,” the OPM stated. “As a result, in April 2015, OPM became aware of the incident affecting its IT systems and data that predated the adoption of these security controls.”
OPM also stated that after identifying the incident, it engaged with the U.S. Department of Homeland Security’s U.S. Computer Emergency Readiness Team (US-CERT) and the Federal Bureau of Investigation (FBI) to assess the impact of the data breach. OPM also stated that it has since implemented new security controls to protect sensitive information.
Starting on June 8, the OPM will send formal notifications to the 4 million individuals affected by the data breach.
“To mitigate the risk of fraud and identity theft, OPM is offering affected individuals credit-monitoring services and identity-theft insurance with CSID, a company that specializes in identity-theft protection and fraud resolution,” OPM stated. “This comprehensive, 18-month membership includes credit report access, credit monitoring, identity-theft insurance, and recovery services and is available immediately at no cost to affected individuals identified by OPM.”
The OPM is not the first U.S government agency to disclose a data breach in recent months. Last fall reports surfaced about the breach of an unclassified White House network as well as attacks on the United States Post Office and the National Oceanic and Atmospheric Administration (NOAA).
Security researchers eWEEK contacted said breaches of government agencies are serious but not surprising.
“The U.S. government will always be in the cross hairs of cyber-espionage efforts, and given the reach OPM has across the U.S. government’s clearance records, it isn’t too surprising they found themselves a victim,” Ryan Trost, co-founder and CIO at ThreatQuotient, told eWEEK. “Knowledge is power in the world of governments, and although servers house that knowledge, employee records provide a treasure chest of target-rich information to coordinate future attacks with.”
Greg Kazmierczak, CTO of Wave Systems, commented that hackers see government agencies as high-value targets with proven vulnerabilities. “We should be very concerned by how our enemies will attempt to exploit this information,” Kazmierczak told eWEEK.
Andy Hayter, security evangelist at G DATA Software, noted that while it’s still early in the OPM investigation to connect the dots with other U.S. government breaches, it is likely that each one that occurs is arming cyber-criminals with exactly what they need and want to execute additional attacks. “Unfortunately, every time there’s another breach on a federal agency, it spells out our vulnerabilities loud and clear to our adversaries, letting them know there are many more opportunities for them to hack our systems and networks over and over again,” Hayter told eWEEK.
Hackers Hit U.S. Office of Personnel Management
Ken Ammon, chief strategy officer at Xceedium, said that for the past 12 to 18 months, there has been a common pattern of attacks by well-funded nation-states throughout both the commercial and the government sectors. “Nearly every breach is rooted in a two-step process, and this breach appears to mimic others before it,” Ammon said.
“Attackers, often through targeted phishing attacks on privileged users, like systems administrators and senior-level officials, gain initial access to the network through compromised credentials, elevate their rights within the system and access critical data at the highest levels of security,” he said.
Given the public admission of multiple breaches, Hayter said, it must appear to threat actors all over the globe that the U.S. government’s IT systems are full of holes, and the response from the United States is to play whack-a-mole every time, in a valiant attempt to close each hole.
“In light of this and many other breaches, the U.S. government needs to move past checkbox compliance efforts and regularly conduct complete audits of each and every system, using experienced penetration testers who can help them continuously find and fix vulnerabilities,” Hayter said.
ThreatQuotient’s Trost said a common question across all breaches is how to protect against similar future attacks. “Sadly, sometimes the answer is to take advantage of the mishap to find the budget to get the missing tool, or hire a new senior analyst, or even procure annual training on the tools being used,” Trost said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.