Security Experts:

OPM Suspends Background Check System to Patch Security Bug

The U.S. Office of Personnel Management (OPM) announced on Monday that it has temporarily suspended its Electronic Questionnaires for Investigations Processing (e-QIP) system after discovering the existence of a security bug.

Following the recent data breach, in which attackers are said to have gained access to the details of as many as 18 million federal employees, the OPM started conducting a comprehensive security review of its IT systems.

The audit revealed the existence of a vulnerability in e-QIP, a web-based system used to conduct background checks for federal security, fitness, suitability, and credentialing purposes.

According to the OPM, the temporary shutdown of the e-QIP system is not related to the recent breach; it is a proactive step taken to ensure the security of the organization’s network. There is no evidence that the security flaw uncovered during the review has been exploited, the agency said.

“The security of OPM’s networks remains my top priority as we continue the work outlined in my IT Strategic Plan, including the continuing implementation of modern security controls,” stated OPM Director Katherine Archuleta. “This proactive, temporary suspension of the e-QIP system will ensure our network is as secure as possible for the sensitive data with which OPM is entrusted.”

The background investigations system will be offline for 4-6 weeks while security enhancements are put into place.

The attackers that targeted OPM are said to have gained unauthorized access to personally identifiable information (PII), records and other sensitive data belonging to millions of current, past and prospective federal employees.

While OPM officials haven’t said anything about who is behind the attack, actors sponsored by the Chinese government have been the prime suspect from day one. China was also named the “leading suspect” by Director of National Intelligence James Clapper at a conference in Washington last week.

China is often blamed for cyberattacks against United States organizations, but the country has constantly denied any involvement. Last week, US and Chinese officials met in Washington and once again held talks on hacking.

The American Federation of Government Employees (AFGE) has filed a class action lawsuit against the OPM, its director, and its chief information officer. The complaint also names KeyPoint Government Solutions, a private contractor that handled a majority of OPM’s background checks. KeyPoint announced suffering a data breach in December 2014.

The AFGE has pointed out that the audits conducted by the OPM’s Office of Inspector General over the past years have revealed the existence of several security issues. The report published by the OIG in November 2014 revealed that the cyber security deficiencies “could potentially have national security implications.”

The AFGE said the OPM failed to take proper measures to protect sensitive information despite knowing of the KeyPoint hack and the security weaknesses that plagued its own systems.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.