Brief: 4 million federal employees affected by data breach at OPM

In a statement on Thursday, the U.S. Office of Personnel Management (OPM) said they’ve recently become aware of an incident that has potentially compromised the personal information of current and former federal employees.

Citing anonymous U.S. officials, the Wall Street Journal says that China is suspected as the source of the attack, described as one of the largest thefts of government data ever seen.

DHS officials said they determined the data had been stolen at the beginning of May.

“Within the last year, OPM has undertaken an aggressive effort to update its cybersecurity posture, adding numerous tools and capabilities to its networks. As a result, in April 2015, OPM became aware of the incident affecting its information technology (IT) systems and data that predated the adoption of these security controls,” the OPM statement explained.

“Beginning June 8 and continuing through June 19, OPM will be sending notifications to approximately 4 million individuals whose Personally Identifiable Information was potentially compromised in this incident.”

The OPM will offer federal employees affected by the breach 18 months of credit monitoring from CSID.

In a statement released earlier this evening, the FBI confirmed they were investigating the issue, but didn’t reference the anonymous administration comments placing the blame on nation-state actors. The DHS says they are monitoring other government networks for suspicious activity.

Speculating, Vanita Pandey, the senior director of strategy and product marketing at ThreatMetrix, had her own ideas about the OPM breach.

“A data breach or hack such as the one that has targeted [the OPM] is likely the result of criminals using stolen identities from other recent data breaches,” she said.

“Think of any of the recent data breaches – they’re like oil spills – they have an immediate impact on the environment and a lasting impact of digital debris.”

Her point being, that data exposed during other breaches could have been pieced together to target someone at the OPM. From there, the OPM employee’s access could be abused in such a way that the attackers (Chinese or otherwise) were able to set-up shop on the network and access records at will.

At this point though, everything related to the OPM breach is mostly speculation. Officials commenting on the matter, while quick to place blame, seem to have little faith in their own conclusions, as they refuse to go on record.

Update:

Chris Wysopal, the CTO of Veracode, sent over some interesting stats pulled from Veracode’s cloud-based platform.

According to the figures:

• The government ranks last behind other industry sectors with respect to the security of its software. For example, 3 out of 4 applications fail the OWASP Top 10 when first assessed for risk.
• The government has the highest prevalence of easily-exploitable vulnerabilities such as SQL Injection and Cross-Site Scripting. Part of the reason for this is that the government still uses older programming languages (such as Cold Fusion) which are known to produce more vulnerabilities.
• The government is ranked last in terms of the percentage of vulnerabilities that eventually get fixed

“DHS said its EINSTEIN intrusion detection system detected the attack but with 4 million records stolen the detection was either very delayed or there wasn’t adequate response to the detection,” Wysopal said in a statement.

“Detection is only effective when there are processes or people who can respond to the alarms.  We saw in the Target breach that an intrusion detection system did sound the alarm but it wasn’t acted on.  This is a problem with over reliance on detection. It is difficult to weed out real alarms from the noise and have adequate responses.”