Fallout from the massive hacks of Office of Personnel Management (OPM) database continues as Congressional staffers and lawmakers receive notification their personal data was compromised. An email from House Chief Administrative Officer Ed Cassidy said, “It now appears likely that the service records of current House employees employed previously by ANY federal government entity (including the House, if an individual left the House and later returned to a House position) may have been compromised.”
The email also stated, “the background investigation files of individuals holding security clearances (whether currently active or not) may have been exposed.”
Sen. Susan Collins (R-ME) took to Twitter Wednesday to share the breach notification letter she received from the OPM this week. The letter states that her Social Security number and other contact information may have been compromised and that third-party identity theft monitoring service CSID will offer 18 months of free credit monitoring. Collins added that her compromised personal information may have been due to a form she filled out more than 20 years prior.
— Sen. Susan Collins (@SenatorCollins) June 17, 2015
Compromised data likely due to federal form I filled out more than 20 years ago! – SMC
— Sen. Susan Collins (@SenatorCollins) June 17, 2015
The OPM’s notification strategy is also receiving criticism. The Washington Post notes that federal employees have been sent emails that ask them to click on a link to the CSID website for the credit monitoring, but the practice worries many recipients out of fear of sophisticated spear phishing attacks.
The Department of Defense (DoD) has already raised red flags about the 750,000 emails civilian employees have received. OPM spokesman Sam Schumach said, “We’ve seen such distrust and concerns about phishing.”
The Center for Democracy & Technology Chief Technologist Joseph Lorenzo Hall said, “There’s a risk that you desensitize people by telling them that occasionally, there’s going to be a very important email you have to click on,” noting this early round of notifications is like “sending a postcard to people saying gee, you just got hacked, go to this website. The hackers could wise up and send their own set of fake identity protection emails and get into your computers all over again.”
As a result of the DoD’s concerns, Chief Information Officer Terry Halvorsen has said the OPM is “suspending notification to DoD personnel … until an improved, more secure notification and response process can be put in place.”
CSID has tailored its emails to generate more confidence from those affected.
To pile on, the OPM is prepping a second wave of notifications about the second hack of security background checks, which will likely raise the total number of those affected way above 4.2 million. During her testimony Tuesday, OPM Director Katherine Archuleta admitted that number will likely rise.
The Washington Examiner reports that the Federal Law Enforcement Officers Association (FLEOA) is demanding that a second database for law enforcement personnel should be created to protect them and their families. A FLEOA memo adds, “Lifetime credit monitoring needs to be provided for the victims of this breach. Additionally, to remedy this gross incompetence, OPM must implement new preventative measures and should move background investigations back under the FBI and install a separate database for officers and their families and those with security clearances.
Despite harsh criticism from law enforcement and some Congressional lawmakers, President Barack Obama said he continues to have confidence in the OPM’s Archuleta.
The White House has also announced a “cybersecurity sprint” after the recent OPM hacks to better protect federal employment data. NPR asks whether it is “window dressing or something substantive?”
In an op-ed for The Hill, Information Technology and Innovation Foundation Vice President Daniel Castro criticizes the government’s apathetic approach to cybersecurity. “The truth is that it was less an indicator of the Chinese government’s technical prowess than it was proof of the U.S. federal government’s lackadaisical approach to securing its computer systems,” he wrote.
Finally, a report for Dark Reading examines the difficulty of protecting data in legacy systems, something the OPM said has been a roadblock in securing personal data. The simple “burn it down and start again” approach is not usually an option, the report states, so IT officials are stuck with trying to make improvements to legacy systems. Archuleta, on Tuesday, testified that one of its legacy systems could not encrypt data (Social Security numbers were included on that system).
Larry Loeb, the columnist for Dark Reading, also said that two-factor authentication for data access should have been in place. On Tuesday, OPM CIO Donna Seymour testified that the OPM has now implemented two-factor authentication for remote access to its systems.
Loeb also criticizes the EINSTEIN intrusion-detection system, which he says, “failed miserably.” Loeb notes that if failed because “it relied on people to tell it what to look for” and since the exploit used a previously unknown zero-day vulnerability, it was not tracked by the system. The Department of Homeland Security’s Andy Ozment, during Tuesday’s hearings, testified that the agency is currently developing a third phase of EINSTEIN—3A—that is smarter and more nimble than EINSTEIN 1 and 2.
In the meantime, look for more Congressional hearings on the incident—potentially from government IT experts and possibly third-party contractors who were hacked in 2014.
— Greg Otto (@gregotto) June 16, 2015
If you want to comment on this post, you need to login.