Twenty-two million victims. Personnel records for an additional 4.2 million people. A pool of affected parties which include intelligence officials, law enforcement officers, and members of the diplomatic corps. Two million victims left un-notified. The Office of Personnel Management (OPM) wasn’t just the most wide-ranging breach of government systems ever to occur—it was an indictment, a warning sign, a red flag telling the citizens of the United States that their government couldn’t protect them on the digital battleground.
How did this happen? A new congressional report shreds the OPM for numerous security failures in a 241-page analysis. Oversights include the use of security software, allowing themselves to be fooled by a hacker impersonating a government worker, and underestimating the risk of cyber attack in and of itself.
The Mechanics of a Breach
According to the report, the first warning sign for the OPM was delivered in March of 2014. At this point, a hacker was already in its network, and had been infiltrating data for an indeterminate period of time. In conjunction with US-CERT (the United States Computer Emergency Readiness Team), the OPM developed a plan to corner the attacker in order to discover their identity and nationality.
This plan may have worked great—if there had been only one attacker. Unfortunately, there were two. Two months after the OPM was notified of a breach, a second attacker posed as an OPM contractor, gained OPM credentials, and then used their access to install malware. When the first hacker was kicked out of the OPM systems, the second attacker remained invisible and began intensifying their attacks.
OPM Breach Has Frightening Fallout
What occurred at the OPM, is a relatively common scenario. Most cyber attackers work in groups. Impersonating a third-party vendor and using their credentials to break into a secure system is an incredibly common occurrence. According to a recent survey by the Ponemon Institute, 49% of companies can trace a data breach to a third-party vendor in some way. In this case, the results of that oversight were chilling.
For example, while the OPM does personnel vetting for all State Department employees, the CIA (which was not directly hacked) always vets its own agents. CIA agents are usually embedded at State Department postings, however. It would be possible to take the records stolen from the OPM, and cross-reference them with the publicly available list of State Department employees at various embassies. By that logic, anyone on that public list, but not vetted by the OPM, would most likely be an undercover CIA agent.
These concerns are borne out by reality—the CIA did pull most of its operatives from Beijing and China in the wake of the OPM hack. Security researcher Brian Krebs has an even more sinister theory, however. He writes, “If the attackers could steal all of this sensitive data and go undetected for so long, could they not also have granted security clearances to people who not only didn’t actually warrant them, but who might have been recruited in advance to work for the attackers?”
Basic Security Procedures Could Have Prevented Breach
Hindsight is 20-20, but there are a number of ways that the OPM could have mitigated this breach. Installing perimeter prevention solutions that assist in stopping a hacker from gaining access to applications, widespread implementation of two-factor authentication, hacker in-network detection capabilities and inspection of data that’s being exported in mass would all have gone a long way in preventing this large-scale event.
At Safe-T, we understand the criticality of preventing a hacker from intruding the network perimeter. This should always be the first line of defense against malicious outsiders. We also know that securely sharing data with partners and vendors isn’t the easiest thing in the world. That’s why our secure data transfer solutions include many options for our clients to deploy security tools. Our customers can automatically enforce security policies such as monitoring data being exported from the network, encryption and user authentication on shared drives and cloud storage, while seamlessly connecting their endpoint protection software in order to can incoming files.
Register today for our live webinar, taking place Thursday, October 13th, for more information on RSAccess and Safe-T Box, and see how our solutions can protect your perimeter and critical data from bad actors.