Personal info of 4 million US government workers compromised in OPM breach

Approximately 4 million US federal employees, both current and former, will start receiving a breach notification alerting them that their personal information has potentially been compromised.

The reason for the notification is the discovery of a breach the US Office of Personnel Management’s (OPM) network. The OPM is an independent agency of the US federal government, which recruits and retains government employees, keeps records of their work, conducts background investigations for prospective employees and security clearances across government, and so on.

“Within the last year, OPM has undertaken an aggressive effort to update its cybersecurity posture, adding numerous tools and capabilities to its networks. As a result, in April 2015, OPM became aware of the incident affecting its IT systems and data that predated the adoption of these security controls,” the OPM shared in a statement on Thursday.

“Since the incident was identified, OPM has partnered with the US-CERT and the FBI to determine the impact to Federal personnel. And OPM immediately implemented additional security measures to protect the sensitive information it manages.”

The OPM noted that the notification will come either via email or US post, and will contain information regarding credit monitoring and identity theft protection services that will be provided to the affected individuals. They have warned them and other, unaffected individuals to be on the lookout for email and phone phishing attempts that are likely to follow in the wake of this breach.

According to the Washington Post, the attackers gained access to the following information: Social Security numbers, job assignments, performance ratings and training information.

They did not access databases that contain information on background investigations or employees applying for security clearances.

Apparently, the attackers leveraged a zero-day exploit to gain access to the network and, according to government officials, they are state-sponsored. The finger has been pointed at China. In fact, according to iSight Partners, the attackers are the same ones that breached US health insurer Anthem earlier this year.

“We believe they are creating a tremendous database of personally identifiable information that they can reach back to for further activity,” iSight senior manager John Hultquist commented for the NYT. “It looks like they are casting a very wide net, possibly for followon operations or identifying persons of interest, but we’re in a new space here and we don’t entirely know what they’re trying to do with it.”

China has denied involvement in the attack.

“The timing of this breach is ironic,” commented Bob West, CTO at CipherCloud. “From taxpayer to federal employee information, federal departments and agencies are gold mines for intruders. Yesterday, an FBI official called for companies to use any tools except for encryption to protect their information. Had agencies encrypted the information that was breached, the fallout would not have been as severe. In the case of the IRS, it had been warned multiple times that its security practices were dated.”

“This breach contrasts the government’s priorities. In this case, the public and the people who serve this country are the ones who suffer,” he pointed out, and added: “We need to strengthen how information is protected, not weaken the controls we use. When we weaken security, we hurt ourselves both politically and economically.”

“Theft of personal and demographic data allows one of the most effective secondary attacks to be mounted: direct spear-phishing to yield access to deeper system access, via credentials or malware thus accessing more sensitive data repositories as a consequence. These attacks, now common, bypass of classic perimeter defenses and data-at-rest security and can only realistically be neutralized with more contemporary data-centric security technologies adopted already by the leaders on the private sector,” says Mark Bower, global director, HP Security Voltage.

“So why is this attack significant? Beyond spear-phishing, knowing detailed personal information past and present creates possible cross-agency attacks given job history data appears to be in the mix. Thus, its likely this attack is less about money, but more about gaining deeper access to other systems and agencies which might even be defense or military data, future economic strategy data, foreign political strategy, and sensitive assets of interest at a nation-state level for insight, influence and intellectual property theft.”