Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Compliance

Leadership, Not Technology, Blamed for Huge OPM Breach

A report published this week by the U.S. House of Representatives Committee on Oversight and Government Reform said the data breaches disclosed by the Office of Personnel Management (OPM) last year were a result of culture and leadership failures, and should not be blamed on technology.

A report published this week by the U.S. House of Representatives Committee on Oversight and Government Reform said the data breaches disclosed by the Office of Personnel Management (OPM) last year were a result of culture and leadership failures, and should not be blamed on technology.

The OPM reported in June 2015 that hackers had accessed the personal data of more than 4 million federal employees. The next month, officials provided an update saying that the details of roughly 21.5 million additional people who underwent background checks had also been compromised. An investigation revealed that attackers had also stolen fingerprint data associated with 5.6 million individuals.

Threat actors based in China are believed to be behind the attacks and officials are concerned that, given the sensitivity of the compromised data, the incident will have a long-term impact on national security and counterintelligence.

According to the report published by the Oversight and Government Reform committee, the OPM inspector general had warned since at least 2005 that the agency’s systems were highly vulnerable to hacker attacks.

The report reveals that OPM learned of one breach in March 2014, after US-CERT informed the organization that a third-party had observed threat actors exfiltrating data from its networks. The agency monitored the hacker’s activities until late May, when it decided to kick it off its network as it had been getting too close to systems storing security clearance background information.

In the meantime, starting on May 7, a different hacker breached OPM’s systems using credentials stolen from one of the agency’s contractors. This second hacker went undetected for nearly a year, during which they exfiltrated background investigation files (July-August 2014), personnel records (December 2014) and fingerprint data (early 2015).

The second attacker’s presence was only discovered in April 2015. The authors of the report believe this hacker may have leveraged manuals and other information collected by the first hacker.

The report says OPM could have potentially prevented the incident had it implemented basic, required security controls, such as two-factor authentication, and expedited the deployment of more advanced security solutions after learning about the first breach.

Apparently, the agency used a product from Cylance, which consistently detected threats, but the solution was only deployed after the second hacker was detected in April 2015. OPM leadership allegedly ignored recommendations from the organization’s director of IT security operations to deploy the Cylance product after the initial attack was detected in March 2014.

The oversight committee has accused OPM officials of misleading Congress and the public, and attempting to downplay the incident.

“The longstanding failure of OPM’s leadership to implement basic cyber hygiene, such as maintaining current authorities to operate and employing strong multi-factor authentication, despite years of warnings from the Inspector General, represents a failure of culture and leadership, not technology,” the report reads. “As OPM discovered in April 2015, tools were available that could have prevented the breaches, but OPM failed to leverage those tools to mitigate the agency’s extensive vulnerabilities.”

In response, OPM Acting Director Beth Colbert pointed out that the agency disagrees with many aspects of the committee’s report, but did not provide any clarifications. Colbert also highlighted several steps taken by the organization since the incident, including use of multi-factor authentication, rebuilding web-based applications, implementation of the DHS’s Einstein security system, and migration to a modern IT infrastructure.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Audits

Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Big-game malware hunters at Volexity are shining the spotlight on a sophisticated Chinese APT caught recently exploiting a Sophos firewall zero-day to plant backdoors...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...