Over a year has passed since the Office of Personnel Management (OPM) breach rocked the cyber world. Back in 2015 it was revealed that a huge amount of personal data had been stolen by cyber attackers when they breached the agencies defenses. At first the losses were placed at 4 million, then it jumped to 10 million and over time 18 million and finally upwards of 21 million records on past and current employees. Now comes word from the House Committee on Oversight that while investigators were looking in one direction for the attacker, a second attacker blindsided them and navigated freely around the system for many months collecting data on personnel….and it could have been prevented.
Eric Tucker, writing for the Associated Press, notes that “The report by the House Committee on Oversight and Government Reform faulted the personnel agency for failing to secure sensitive data despite warnings for years that it was vulnerable to hackers. It concluded that the hacking revealed last year could have been prevented if OPM had put in place basic, required security controls and recognized from an earlier break-in that it was actually dealing with a sophisticated, persistent enemy”. Sean Gallagher reporting for Ars Technia, also notes the lack of security and writes “OPM failed to set up basic cyber hygiene”.
Few digital systems are totally invulnerable to an advanced attack, but in this case, once again, we have what appears to be a neglect of cybersecurity basics that laid the groundwork for the attack and subsequent breach of OPM systems. Training, technology and policies are important keys to cybersecurity, but there are times when you need to get back to basics. One can only hope that government agencies have learned that lesson.
Gallagher, S. (2016). Surprise! House Oversight report blames OPM leadership for breach of records. Retrieved from the Internet at http://arstechnica.com/information-technology/2016/09/surprise-house-oversight-report-blames-opm-leadership-for-breach-of-records/
Tucker, E. (2016). Missed opportunities to stop OPM cyber breach spelled out. Retrieved from the Internet at http://www.sfgate.com/news/politics/article/Missed-opportunities-to-stop-OPM-cyber-breach-9206765.php