A report by a Congressional oversight body into a massive data breach at the US Office of Personnel Management (OPM) has taken aim at cybersecurity frailties that it said led to the exposure of almost 22 million victims' fingerprint and other personal data.After a year-long investigation, the Committee on Oversight and Government Reform this week launched: “The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation”.The committee has blamed a poor governmental response to the first signs of danger, among other weaknesses.”The government of the United States of America has never before been more vulnerable to cyberattacks,” writes the body. “No agency appears safe.”Attackers first gained access to OPM systems in July 2012, thanks to the installation of the Hikit malware package on its network. Evidence of adversarial activity on the network goes back as far as November 2013.OPM wasn't notified of the malicious activity until March 2014. Even then, the attacker was allowed to gain a foothold on the network in May of that year, at which point the hacker installed a backdoor to download the confidential personnel information and began downloading it in July 2014.”This is in large part due to sloppy cyber hygiene and inadequate security technologies that left OPM with reduced visibility into the traffic on its systems,” the report charged. “The data breach by Hacker X1 in 2014 should have sounded a high level, multi-agency national security alarm that a sophisticated, persistent actor was seeking to access OPM's highest-value data. It wasn't until April 15, 2015, that the OPM identified the first indicator that its systems were compromised by Hacker X2.”Indeed, the hackers then continued to steal confidential personnel data from the system until March 2015 but the agency didn't even realize what had happened until May of that year.”The lax state of OPM's information security left the agency's information systems exposed for any experienced hacker to infiltrate and compromise,” according to the report. “Had OPM implemented basic, required security controls and more expeditiously deployed cutting edge security tools when they first learned hackers were targeting such sensitive data, they could have significantly delayed, potentially prevented, or significantly mitigated the theft.”The OPM has responded with an explanation of its processes and outlined steps it has taken since the breaches.”Over the past year OPM has worked diligently with its partners across government and made significant progress to strengthen our cybersecurity posture, and reestablish confidence in this agency's ability to protect data while delivering on our core missions,” Beth Cobert, acting director of the OPM, wrote on the agency's blog today.She added that the agency has added both a senior cybersecurity advisor who reports to OPM's director and hired a new chief information officer as well as a number of new senior IT leaders. The agency has also centralized its cybersecurity resources under a new chief information security officer, whose sole responsibility is to take the steps necessary to secure and control access to sensitive information, Cobert said.In its report, the oversight committee recommends reducing the use of Social Security numbers as identifiers; reducing the barriers to implementing IT security policies; stronger security on federal Web sites; and modernizing existing legacy information technology assets. It also suggests that that CIOs are empowered to affect change, and retained for longer than the current average tenure of just two years.
OPM slammed in Congressional report on biometric leak
