Federal Union Says OPM Breach Hit Every Federal Employee
On June 4, the U.S. Office of Personnel Management (OPM) reported that in April it became aware of a cybersecurity incident that affected its systems and data and was thought to have compromised the personal information of 4 million current and former federal workers.
As it turns out, it’s much worse than that, according to the American Federation of Government Employees (AFGE). The group, in fact, said hackers most likely have all the personal information of every federal employee, including Social Security number, military records and veteran status information, address, birth date, job and pay history, health insurance, life insurance, and pension information; age, gender, race, union status, and more.
“Based on the sketchy information OPM has provided, we believe that the Central Personnel Data File was the targeted database, and that the hackers are now in possession of all personnel data for every federal employee, every federal retiree, and up to one million former federal employees,” said AFGE President J. David Cox in a June 11 letter to Katherine Archuleta, the OPM Director.
What OPM Is Doing
Since the incident was identified, OPM said it has partnered with the U.S. Department of Homeland Security's U.S. Cyber Incident Response Team, and the Federal Bureau of Investigation to determine the impact of the breach on current and former to federal personnel. OPM said immediately implemented additional security measures and will continue to improve the security for the sensitive information it manages. The FBI has opened an investigation to identify and hold accountable the person(s) responsible for this incident, according to the OPM.
In his letter to Archuleta, Cox said since the breach, OPM has not shared much information with his organization, citing the ongoing investigation. Cox said his group believed that the Social Security numbers of the employees were not encrypted, calling it a "cyber security failure that is absolutely indefensible and outrageous.”
Cox wants the government to give employees lifetime credit monitoring services, instead of the 18 months of monitoring that is currently being offered, as well as liability insurance to cover the costs of the breach. Additionally, Cox criticized OPM for outsourcing the responsibility for addressing federal employees' concerns to a contractor.
Fingers Pointing to China
Although it's unclear where the hack originated, Republican Senator Susan Collins, a member of the Senate Intelligence Committee, has said, "While we still do not know for certain who is behind this attack, it has the hallmarks of a sophisticated attack, and we know there are countries who currently possess the capabilities to conduct such an attack, including Russia, China, and Iran."
We turned to Igor Baikalov, chief scientist at security analytics firm Securonix, to get his thought on the attack. He told us a good security practice is to assume the worst until proven otherwise.
“More and more officials are pointing fingers to China as the most likely culprit in the attack, but there was no official statement to that regard and it's naive to expect one,” Baikalov said.
First, he said the U.S. spies for “national security advantages” just like China does -- no moral high ground there. Second, and most frustrating, is that there's not much U.S. can do to retaliate for this attack: “Economic sanctions are hardly applicable to the country that holds most of your national debt," he said.
What Will Obama Do?
Philip Lieberman, CEO, security software firm Lieberman Software, told us the OPM, an agency entrusted with the defense of its government employees, ignored the government’s guidance and failed to implement off-the-shelf technologies that are common to the commercial realm.
“A fix for the problem was a phone call away to virtually any of the defense contractors in the beltway who have been dealing with these types of attacks for decades,” Lieberman said. “Unfortunately, this problem now falls on the president as commander in chief for an appropriate response.”
Of course, there’s no response that unrings the bell. At its core, the OPM breach was not so much a problem of technology as much as it was a lack of process, systems design, lack of external oversight, and the lack of cyber defense staff to automatically stop the attack and at worst, minimize the consequences, Lieberman said.
“In every tragedy there is an opportunity to create a better future,” he said. “As the commander in chief, the president will now need to deal with serious threats from the outside and serious weaknesses within his own government. I hope that the legislature backs him as well as the unions to change the government so that there will not be a repeat of this scenario, or at least make future attacks less effective.”
Posted: 2015-06-23 @ 1:44pm PT
I am a retired government employee. In your article you mentioned "Cox wants the government to give employees lifetime credit monitoring services, instead of the 18 months of monitoring that is currently being offered, as well as liability insurance to cover the costs of the breach." There has been no personal notification to government employees about the "18 months of monitoring that is currently being offered." Just who is being given this protection. The U.S. taxpayer really can't afford to provide this to that entire population. So can you identify who, if anyone, is getting coverage? I'm sure only the most elite will be eligible.
Posted: 2015-06-18 @ 5:02am PT
If the intent is to zero out all American bank accounts this is one step toward that goal.