There is no shortage of information on the interwebs about the massive Office of Personnel and Management breach that left computer systems and data exposed to hackers.
The hard part is cutting through the jargon and speculation to understand what happened and what this hack means for you, especially if you’re one of the 4 million current and former feds whose personal data may have been compromised. Sorry to be the bearer of bad news, but as OPM’s investigation of the incident continues, there’s a possibility that number could grow. (Read our most recent coverage here).
“Since the investigation is on-going, additional PII exposures may come to light; in that case, OPM will conduct additional notifications as necessary,” OPM said in a recent Q&A.
According to the agency’s timeline, OPM’s systems were breached in December 2014. OPM became aware of the cyber intrusion in April, only after it beefed up internal security measures to detect and mitigate cyber attacks. A joint investigation with the FBI and Department of Homeland Security’s US-CERT revealed last month that personal data may have been stolen. How the attack occurred and who was behind it are still under investigation, but reports citing unnamed U.S. officials claim that China is the perpetrator.
Because there are still a lot of maybes and ifs swirling around this incident, we wanted to do our best to distinguish between the facts, speculation and what details are being fleshed out – and what all of this means for you. Let’s start with the burning questions:
#1: Who was affected?
The breach may have compromised personal data of 4 million current and former federal civilian employees at executive branch agencies, including the Department of Defense. Military records were not affected. Contractors are off the hook, too, unless they are former federal employees. OPM said that family members included in your records were not affected by the breach.
#2: What does this hack mean for me?
If your information may have been compromised, you will be notified by OPM over the next two weeks. Notifications started going out on Monday, June 8, and will continue through June 19. “The communication to potentially affected individuals will state exactly what information may have been compromised,” OPM Press Secretary Samuel Schumach told GovLoop. Personal data that may have been stolen include:
- Names
- Social Security numbers
- Birthdates, place of birth
- Current and former addresses
- Job assignments
- Training records
- Benefit selections
“At this time, we have no evidence that there has been any use or attempted use of the information compromised in this incident,” OPM noted. But it isn’t uncommon for hackers to sit on information for months — or even years — before carrying out malicious acts.
#3: Is this one of the worst breaches in government history?
“This was the most significant breach of federal networks in U.S. history,” Rep. Michael McCaul, Chairman of the House Homeland Security Committee, said on CBS’ “Face the Nation.”
McCaul called the breach a huge data-mining project that appears to be the work of the Chinese government. “It was not done to steal credit card information, it was done to get personal information on political appointees and federal employees,” McCaul said.
For now, we know that as many as 4 million current and former feds may have had their records compromised. “What we don’t know is the degree,” said Steven Spano, President and Chief Operating Officer of the Center for Internet Security.
Spano recalled the 2006 theft of a Veterans Affairs Department employee’s laptop. The laptop contained personal information of about 26 million veterans and military personnel, which far surpasses the 4 million potentially affected by the OPM breach. But the number of potential victims isn’t the only indicator for determining the impact of a breach. “The question is what type of information was breached within those records,” Spano said.
#4: What if I get a notification that my data could be at risk?
“This may or may not go without saying, but you should be leery of any emails that contain links and attachments and claim to be about the OPM breach,” said Dan Waddell, Director of Government Affairs for the nonprofit security organization ISC2. “Do not treat this as your standard after-breach process, where you sign up for credit monitoring and think everything is okay,” Waddell said. “You need to be on the lookout for targeted spear-phishing attacks.”
Now that cybersecurity is going mainstream, you’ve probably heard of the term spear phishing. This tactic includes targeted attempts, usually via email, to extract sensitive information from an individual by posing as a trusted entity or person. One concern is that hackers may use stolen data about federal employees to trick them into opening malicious emails. One click could provide adversaries an open door into your agency’s network.
The domino effects may not be felt in the coming months — but years, according to security experts, who fear that hackers could use personnel data to target individuals working on sensitive projects and those who may be more susceptible to bribes and coercion due to financial hardships or other life issues.
If you have a security clearance, then you know the type of sensitive information that must be reported to the government. Think of this information as the “data people sometimes freely put on LinkedIn but on steroids — information that you wouldn’t want publicized,” said Ryan Kazanciyan, Chief Security Architect at Tanium. The firm was dubbed by Forbes as the secret cybersecurity weapon of Target, VISA and Amazon
#5: What services are available for affected individuals?
OPM is giving affected individuals a free subscription to CSID Protector Plus for 18 months. Check out the chart below to see what’s included in the coverage for those who enroll. Affected individuals will automatically receive $1 million of identity theft insurance and full-service identity restoration provided by CSID, OPM noted.
#6: If OPM discovered the breach in April, why are feds just now hearing about it?
Let’s revisit the timeline I provided earlier: OPM discovered the breach in April, but it wasn’t until May that the agency found out personal data may have been compromised. “As with any such event, it takes time to conduct a thorough investigation and to identify the affected individuals,” OPM said.
Tanium’s Kazanciyan agrees.
“For an organization that has been compromised there is always strong forces driving them to disclose as early as possible with as much information as possible,” said Kazanciyan. His past experience at security firm Mandiant included leading investigations into targeted attacks and helping companies detect and respond to them. “The challenge is these types of investigations often take time,” and organizations are often compelled to give information before they understand the full extent of the breach. That’s why some organizations end up revising early estimates about the impact of a breach — not because they tried to withhold data but because the investigation is ongoing.
Some breaches can be determined in a matter of days or weeks, if the right security tools are used and experienced professionals are involved, Kazanciyan said. He has seen some cases where the investigation takes months or years, only to yield insufficient details for remediating problems.
#7: What is OPM doing to secure itself?
The federal government as a whole has been implementing a DHS program known as Continuous Diagnostics and Mitigation. I promised I wouldn’t throw around too much jargon, so I’m going to keep it simple: The $6 billon program was created to give agencies access to standard software tools and services. Using these software tools, agencies can conduct automatic security checks of their network to see what devices are connected to their computer networks, if those devices have updated software patches and check a host of other potential security risks.
Following the breach, OPM implemented several new security measures, including restricting the access of network administrators who are remote, clamping down on the functions of remote network administrator and rolling out anti-malware software. But why did it take a cyber intrusion of this magnitude to spur improved security?
OPM isn’t the only government agency slow to respond to the increasing cyber threat, as noted in the annual information security report to Congress. That’s only part of the problem.
“A lot of security in the government is still driven on the front end by compliance,” Kazanciyan said. And compliance with a list of security standards, while good for maintaining cyber hygiene, is not the same as constantly monitoring federal networks for signs of a breach.
#8: What is the EINSTEIN program that was used to detect OPM breach?
EINSTEIN is a system created to detect and prevent intrusions of federal networks. DHS is working with agencies to implement the most updated version, known as EINSTEIN 3 Accelerated (E3A), government-wide.
At an April 15 Senate subcommittee hearing, Andy Ozment, Assistant Secretary for DHS’ Office of Cybersecurity & Communications, called EINSTEIN 3 “a first line of defense against cyber threats for federal civilian departments and agencies. E3A can be considered a set of security gates on the federal government’s traffic, located at the handful of Internet Service Providers (ISPs) that are used by almost every federal civilian agency to access the Internet.” The tool offers several features, including an email filtering capability that allows DHS to scan email destined for .gov networks for malicious attachments and other malware.
“Currently, approximately 26 percent of Federal civilian personnel are protected by at least one of E3A’s capabilities,” Ozment said at the hearing. As of April 3, a total of 51 agencies had signed agreements to roll out the services, which would raise EINSTEIN 3 coverage to 96 percent of all federal civilian personnel.
The OPM breach has accelerated rollout of the DHS program, which was initially scheduled to be adopted government-wide in 2018, White House Press Secretary Josh Earnest said at a June 5 briefing. That timeframe has been bumped up to 2016.
One drawback is that intrusion detection systems like EINSTEIN rely on unique identifiers, or signatures, to detect cyber threats that are known but does little to find unknown threats, said Kazanciyan.
#9: This isn’t the first time OPM has been hacked, right?
Correct. Last year, it was reported that hackers gained access to OPM databases, in addition to attacks against agency contractors.
This most recent OPM cyber hack may seem like déjà vu for more than 40,000 employees who were notified by the agency in December that personal data may have been compromised, following an attack against OPM contractor KeyPoint Government Solution. The company became OPM’s go-to background investigations firm after competitor U.S. Investigative Services fell victim to a cyber attack and lost its contract.
The nature and target of these attacks are not a coincidence, Kazanciyan said.
“To me, this is clearly a situation where an attacker deliberately targeted PII (personally identifiable information), including data on background investigations and the other data that OPM collects as part of its role in the government, for the purpose of intelligence collection on government employees,” he explained. “I would distinguish that from more common stealing of PII to commit fraud.”
#10: What should I do to protect myself?
OPM offers a host of tips for current and former federal employees. Here are a few:
- You may place a fraud alert on your credit file to let creditors know to contact you before opening a new account in your name. Simply call TransUnion at 1-800-680-7289 to place this alert. TransUnion will then notify the other two credit bureaus on your behalf.
- Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.
- Pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain
- If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information.
#11: Should state governments be concerned?
Erik Avakian, Pennsylvania’s Chief Information Security Office, said he is keeping a close eye on the OPM incident, specifically what information was compromised, what security measures were in place and how information may have been compromised. All the specifics likely won’t be released publicly, but states such as Pennsylvania have mechanisms for sharing and receiving more sensitive information with its partners.
#12: Where can I get more information?
For information pertaining to the incident and your coverage, OPM is directing individuals to visit www.csid.com/opm, or call 1- 844-222-2743.
If you have additional information that would be helpful for former and current feds to know, please include it in the comments section.
Related Links: