A new report released by the House Oversight and Government Reform Committee, chaired by Rep. Jason Chaffetz, blamed former OPM Chief Information Officer Donna Seymour and Director Katherine Archuleta for what became the largest U.S. government data breach in history.
Largest U.S. Government Data Breach
The OPM hack exposed sensitive files of 21.5 million people, of which 4.2 million were current and former federal employees. The rest were their closest relatives. The hack also exposed 5.6 million fingerprints, which, if compromised, should probably never be used again for biometric authentication.
To remind everyone just how significant the hack was and how much it affected the U.S. government, the report contained a few quotes from high-ranking current and former intelligence and law enforcement officials:
“This is crown jewels material … a gold mine for a foreign intelligence service. This is not the end of American human intelligence, but a significant blow,” said former NSA Senior Counsel.“We cannot undo this damage. What is done is done and it will take decades to fix,” said John Schindler, former NSA officer.“[The SF-86] gives you any kind of information that might be a threat to [the employee’s] security clearance,” said Jeff Neal, former DHS official. “My SF-86 lists every place I’ve ever lived since I was 18, every foreign travel I’ve ever taken, all of my family, their addresses. So it’s not just my identity that’s affected. I’ve got siblings. I’ve got five kids. All of that is there,” said James Comey, Director of the FBI.“[OPM data] remains a treasure trove of information that is available to the Chinese, until the people represented by the information age off. There’s no fixing it,” said Michael Hayden, former Director of the CIA.
Although fingerprints and social security numbers were also stolen, the most sensitive information was contained in the Standard Form 86 (SF-86) files. These files are required for people who need security clearance so they can access classified information. The SF-86 files contain information that could be used as stepping stones for future data breaches (such as the stolen fingerprints, unless they’ve all been revoked and denied in all of the government’s new systems).
The SF-86 files also contained personal information such as whether the employees consumed illegal drugs, abused alcohol, gambled, or whether they consulted medical professionals for certain mental health conditions. This type of information could potentially be used as as blackmail material.
In a way, asking for this sort of information seems counterproductive. The U.S. government wants future employees to tell about anything that might be used as blackmail against them. However, it then stores all of that blackmail material for millions of employees in one single place. Regardless of how good the security of that system is, it becomes too attractive a target, and it’s only a matter of time before it gets hacked.
A Decade Of Bad Security
According to the House report, the OPM Inspector General (IG), who performed security audits for OPM’s systems, has warned since at least 2005 that the data was vulnerable to hackers. Nine years later, in 2014, the IG upgraded the OPM’s security rating from “material weakness” to “significant deficiency.” In other words, the OPM’s systems were still highly vulnerable. That was also the same year the OPM hack happened.
A year after that, in 2015, the IG reported that “OPM continues to struggle to meet many FISMA requirements” and with “overall lack of compliance that seems to permeate the agency’s IT security program.”
After the OPM made public the breach a year after it happened, some security firms opined that the damage could’ve been greatly diminished if the employees had used two-factor authentication. A 2015 Office of Management and Budget (OMB) report also identified OPM as one of the few agencies with “weakest authentication profile.”
The OPM also allowed some systems to operate without a security assessment and valid Authority to Operate (ATO). In 2014, the IG called the increasing number of OPM IT systems without an ATO “alarming.”
The OPM’s data breach was perpetrated by two attackers, which the House committee believes likely coordinated with one another. By the time the OPM and the DHS moved to eliminate “Hacker X1” (the name given by the committee to the first hacker) from its systems, “Hacker X2” managed to put a backdoor into the system. The backdoor was not detected due to OPM’s weak security systems and IT policies.
The Breach Could’ve Been Prevented
According to the report, OPM’s lack of good IT security hygiene, a reluctance in prioritizing security for critical data, and its leadership’s decision to first monitor what Hacker X1 was trying to do inside its systems for months before sounding the alarm, have all been major factors in exposing the data of 21.5 million people. If the OPM had acted more quickly and began securing its networks sooner, the attackers may have not been able to steal the most sensitive information.
It wasn’t until April 2015 that the OPM began using two-factor authentication and preventative security measures. High-value targets such as the OPM can’t rely on security solutions such as anti-viruses and firewalls alone. Firewalls can be bypassed by sophisticated attackers, and no sophisticated attacker would use software vulnerabilities and malware that have already analyzed by anti-virus companies. They are far more likely to use zero-day exploits to access such systems, so security solutions such that are effective against such exploits must be used.
The House committee claimed that the OPM had the tools to prevent the data breach, but the agency failed to leverage them because of the agency’s poor security culture and policies. It now hopes that under the new leadership of Acting Director Beth Cobert, decades of mismanagement can be remedied.