It’s highly likely that sophisticated hackers stole sensitive data from Office of Personnel Management systems containing Social Security numbers and other personal records of current and former federal employees, government officials testified on Tuesday.
Although OPM has not determined the full scope of not one, but two recent hacks against its IT systems, Director Katherine Archuleta told lawmakers that there is a “high degree of confidence” that data was exfiltrated, or removed from OPM networks. Archuleta explained that any federal employee whose agency submitted a service history record to OPM may have had their data compromised, even if the full personnel file was not stored on OPM systems.
For now, OPM is sticking to 4.2 million as the number of individuals who may be affected by the breach it initially reported June 4, but that number will likely grow in the wake of OPM’s ongoing investigations and discovery of a second breach in May.
We know that OPM maintains legacy systems dating back to 1985, but Archuleta could not confirm whether that means 30 years’ worth of data was compromised and now in the hands of sophisticated hackers. To be clear, these weren’t low-level cybercriminals that breached OPM’s systems. The intruders “executed very sophisticated tactics to obtain OPM data hosted in DOI data centers,” Interior CIO Sylvia Burns told lawmakers.
In the wake of cyber attacks against the IRS, State Department, the White House, the United States Postal Service and contractors, lawmakers are concerned that these recent OPM hacks are part of a larger coordinated effort to create comprehensive profiles on Americans, particularly government employees.
To keep you current, GovLoop compiled a detailed summary of key takeaways from Tuesday’s House Oversight and Government Reform Committee hearing:
#1. There were two recent breaches, and it’s highly likely that sensitive data was stolen.
Personal records compromised by the breach include typical information about job assignments, some performance ratings but not evaluations, training records for personnel and other personally identifiable information (names, Social Security numbers, birthdates, place of birth, current and former addresses and benefit selections), according to OPM Chief Information Officer Donna Seymour. These are longitudinal records, so they span across an employee’s federal career.
The second breach that compromised background investigation information includes data from clearance adjudication and the Standard Form 86. The more than 120-page document is used to conduct background investigations, reinvestigations and continuous evaluations for current and future security clearance holders. The document contains highly sensitive information about individuals’ emotional and mental health, legal history, financial woes and information about friends, colleagues and past roommates. At the bottom of nearly every page, respondents are required to write their Social Security number.
“We have not yet been able to do the analysis of the data involved with [the] background investigation incident,” Seymour said. “As soon as we can narrow the data involved in that incident we will make appropriate notifications.”
#2. The two hacks were discovered in April and May.
GovLoop reported last week that OPM’s systems were breached in December 2014. OPM became aware of the cyber intrusion in April, only after it beefed up internal security measures to detect and mitigate cyber attacks. A joint investigation with the FBI and Department of Homeland Security’s US-CERT revealed last month that personal data was compromised. How the attack occurred and who was behind it are still under investigation, but reports citing unnamed U.S. officials claim that China is the perpetrator.
“During the course of the ongoing investigation, the interagency incident response team concluded – later in May – that additional systems were likely compromised, also at an earlier date,” according to Archuleta’s written testimony.
#3. Current and former civilian employees at executive agencies may not be the only victims.
Seymour acknowledged that the pool of potential victims could extend beyond civilian employees. Initially, OPM said military records were not affected and that contractors were off the hook, unless they are former federal employees. OPM also said that family members included in your records were not affected by the breach. When asked whether contractors, CIA and military personnel were affected, Archuleta declined to answer those questions in public and deferred them for a classified briefing scheduled directly after the hearing.
It’s likely that current, former and prospective federal employees, as well as individuals for whom a federal background investigation was conducted were affected by the breaches.
By the end of the week, OPM will have notified 4.2 million current and former civilian employees that their personal data was exposed. But the number of potential victims could be more than 4.2 million, Archuleta said.
#4. OPM did not encrypt Social Security numbers.
Archuleta confirmed that Social Security numbers weren’t encrypted. She said the agency is working with legacy systems that are decades old and is limited in the security capabilities that can be installed on aging systems. Archuleta noted that OPM is taking other steps to secure data, including the use of two-factor authentication. In general, two-factor authentication requires the use of additional information (beyond usernames and passwords), tokens or biometrics to verify an individual’s identity.
During the hearing, Andy Ozment, Assistant Secretary for Cybersecurity and Communications at DHS, said if adversaries steal users’ credentials, they can access data on the network and encryption won’t help. “That happened in this case,” Ozment said of the OPM breach.
#5. OPM is battling lingering IT security issues.
OPM has a long history of systemic failures to properly manage IT infrastructure that could lead to security breaches, said Michael Esser, Assistant Inspector General for Audits at OPM. During the hearing, Esser highlighted key issues plaguing the agency:
- For many years, OPM operated in a decentralized manner. Program offices managed IT systems, and the CIO had little access or control over those systems despite ultimate responsibility to secure the systems. In 2014, OPM took steps to centralize IT responsibilities within the CIO office.
- Each system OPM owns is required to undergo a security assessment and authorization. This process is used to ensure the systems meet applicable security standards before they are allowed to operate. Last fiscal year, 11 OPM systems were operating without a valid authorization. Archuleta said all systems are now authorized and are operating. Last year, the IG recommended that OPM shut down systems because of the risk they posed, but that was not done. “To shut down systems we need to consider all responsibilities we have with use of systems,” Archuleta said. “As director of OPM I have to take into consideration all the work we must do, [and] it was my decision we would not shut down systems” but continue to improve security of those systems. Part of the issue, Esser said, is there are no consequences or sanctions in place for the owners of OPM IT systems that do not have a valid authorization to operate.
- OPM has implemented numerous security measures to protect its IT assets and data, but Esser raised concerns about the breadth and quality of those efforts. He said OPM does not have an accurate inventory of all its servers and databases. Even if security tools are fully implemented, they can’t fully defend OPM networks without a full inventory of all IT assets.
Other questions that OPM and DHS officials deferred for the classified briefing after the public hearing:
Did these cyber attackers gain access to OPM data systems using information they stole from former OPM contractor USIS or KeyPoint Government Solutions last year?
Did hackers use a zero day vulnerability to get into the network?
How likely is it that hackers were able to access information through an employee account?
What are the security implications of SF 86 data being hacked? The form requires individuals to list foreign nationals with whom they have contact, and that could pose a great risk.
What type of information may have been stolen in the second breach?
What could hackers do with the stolen data?