The Office of Personnel Management is the human resources department for the US federal government, responsible for background checks and security clearances. The OPM conducts more than 90 percent of federal background investigations, according to its website. Over the past few weeks the public has been made aware of the failure of the Office of Personnel Management to keep its data safe from hackers, on more than one occasion.
The Department of Homeland services was forced to concede digital defeat after a second breach of the OPM data pool put more information in the hands of hackers. The whole fiasco has made for engaging reading from afar but has, no doubt, been upsetting for those US government employees (and former employees) who have had no choice but to trust the OPM with their personal data. Here are some of the most interesting points to take away from the OPM disaster:
- Chinese hackers were inside the system for over a year before they were discovered. The Office of Personnel Management revealed a second breach of a security clearance database that contained the background check files of millions of military and intelligence community.
- The number of affect individuals has risen from an initial estimate of 4 million, to 14 miliion. The latest estimate is 18 million affected individuals.
- The OPM ignored several warnings from its own inspector general that its security practices were dangerously negligent
- Much of the personnel data had been stored in the lightly protected systems of the Department of the Interior, because it had cheap, available space for digital data storage.
- The attackers had gained valid user credentials to the systems that they attacked—likely through social engineering. Encryption would not have saved the data from such an attack.
- The average social media account is probably safer than OPM data. Most social media services provide the option of two-factor authentication. There was no multi-factor authentication for OPM data. The attackers would have been able to use stolen credentials, at will, to access systems from within and outside of the network.
- Chinese hackers breached FBI agents’ personnel files, up to 35,000 individuals may be affected. Putting FBI agents' data at risk could have national security implications, as many investigate domestic terrorist plots and foreign spies.
- OPM gave root system access (root is privileged system access authority) to foreign contractors in China.
- Systems at the I.R.S. allowed employees to use weak passwords like “password.”
0 comments:
Post a Comment