You are here

The reality of the Office of Personnel Management breach and how to mitigate risk

public://pictures/Todd-DeCapua-CEO-DMC.png
Todd DeCapua, Technology leader, speaker & author, CSC

This article is part of an ongoing series of Performance Retrospectives that assess real-world application performance issues in the recent past, analyze what might have happened, and offer up best practices that just might help you avoid similar problems.

[ Get up to speed fast on today's tools with TechBeacon's Application Security Buyer's Guide 2019 ]

What happened

While specifics of the breach aren't being released, it's known the intruders gained access to information that included employees' Social Security numbers, job assignments, performance ratings, and training information. "Officials declined to comment on whether payroll data was exposed other than to say that no direct-deposit information was compromised. They could not say for certain what data was taken, only what the hackers gained access to."

The American Federation of Government Employees (AFGE) said the attack on the Office of Personnel Management (OPM) resulted in the theft of all personnel data for every federal employee. "Certainly, OPM is a high-value target," Donna Seymour, the agency's chief information officer, said in an interview. "We have a lot of information about people, and that is something that our adversaries want."

[ See Guide: Best Practices for GDPR and CCPA Compliance ]

Why it happened

Numerous sources used the following description: "The government has a large, costly, sophisticated, and mostly secret system for protecting its data. But that system is, even according to the government, obsolete. It follows an old protocol of attempting to keep hackers outside, like a fence. Newer systems assume hackers will get through the outside defense and try to stop them once they're inside."

The US had been warned that it wasn't ready in an inspector general's report late last year. By the time the report landed, it was apparently too late, but many of the steps it recommended still haven't been taken. For example:

In the most egregious case cited by the inspector general, outsiders entering the system were not subjected to "multifactor authentication" — the systems that, for example, require a code that is sent to a cellphone to be entered before giving access to a user. Asked about that in an interview, Donna Seymour, the chief information officer at the Office of Personnel Management, said that installing such gear in the government's "antiquated environment" was difficult and very time consuming, and that her agency had to perform "triage" to determine how to close the worst vulnerabilities.

Encryption and data obfuscating techniques "are new capabilities that we're building into our databases," Donna Seymour, the OPM chief information officer, told POLITICO.

The business impact

The Obama administration announced that this massive theft of federal employee data will cost American taxpayers as much as $20 million.

The Office of Personnel Management said that, in response to the data breach, it had contracted with the company CSID to provide services to the current and former federal workers who had their personal information stolen. OPM said as many as four million people could be affected. "This comprehensive, 18-month membership includes credit report access, credit monitoring, identity theft insurance, and recovery services," OPM said. OPM announced a final contract to provide those services with Winvale Group LLC. Winvale is the main contractor, and CSID is the subcontractor.

While the services will be free for federal workers, they won't be free for taxpayers. According to the contract award announcement, OPM will pay Winvale $20,760,741.63 for services designated as "call 1" in the contract. Those services include sending out 2.1 million emails to affected employees and 1.1 million letters, plus call center support, credit monitoring, and ID theft and recovery services for 3.2 million people.

Takeaways

Build in security with your application development team early in the process, which will help accelerate delivery and ensure security for your end users. Data is a big business. When it comes to cyber­ espionage, countries are willing to pay a lot of money, so they can acquire and be able to use this data.

As we have seen, security capabilities and practices are a reasonable way to mitigate these risks. Moving slower and less agile than your adversary results in significant business impact [$20+ million loss] not to mention all the other risks, including reputation.

For more specifics on how other organizations are mitigating risks, see Art Gilliland, SVP and GM for Enterprise Security Products at HP Software, on CNBC on the "Hacking of America," along with additional information at http://www.hp.com/go/Security for you.

Image source: Eric Fischer/Flickr

[ Join Webinar: Five Steps to Implement a Universal Policy Strategy ]