OPM hacked, 4 million records compromised
Was it China?
US officials suspect hackers in China are responsible for a cyber attack on the Office of Personnel Management’s (OPM) computer systems that left the personal information of almost four million current and former federal government employees exposed.
The breach, which was detected back in April, is now being described as one of the largest thefts of government data ever seen. DHS concluded back in May that the information had indeed been compromised and stolen, but so far neither OPM of the FBI have indicated exactly whose records have been exposed.
More from WaPo:
“Certainly, OPM is a high value target,” said OPM Chief Information Officer Donna Seymour, in an interview. “We have a lot of information about people, and that is something that our adversaries want.”
With that understanding, she said, within the last year “OPM has undertaken an aggressive effort to update our cybersecurity posture, adding numerous tools and capabilities to our networks. As a result of adding these tools, we were able to detect this intrusion into our networks.”
“Protecting our federal employee data from malicious cyber incidents is of the highest priority at OPM,” said the agency’s director, Katherine Archuleta, in a statement.
According to an unnamed Congressional aide, the Interior Department was also hacked. Another source for CBS News said that the data breach could potentially affect every government agency.
If the hack is traced back to China, it will be the second major breach executed by Chinese hackers in the space of a year, and one of several hacks affecting federal workers:
In December 2014, the government confirmed that the computer files of more than 40,000 federal workers may have been compromised by a cyberattack at federal contractor KeyPoint Government Solutions. KeyPoint became the largest private clearance firm working for federal agencies several months ago after rival contractor United States Investigative Services (USIS) lost its investigations business with the government following a devastating cyberattack reported earlier that year.
The USIS breach, similar to previous hacking episodes traced to China, tainted the files of at least 25,000 Department of Homeland Security workers and prompted the personnel office’s decision to halt all of USIS’ government field work. That move led to the cancellation of more than $300 million in contracts with USIS.
A wide-ranging strike reported in November compromised the data of more than 800,000 Postal Service workers. The personnel office itself was targeted earlier by cyberhackers traced to China.
We’ll keep you updated on the investigation.
Donations tax deductible
to the full extent allowed by law.
How about not having the servers with that information accessible from the internet?
That would be an inconvenience for the NSA.
Can’t they just pull it out of their….. Like they used to?
It may not be that simple.
At work, do you have access both to the internet and internal, non public network resources from the same machine? If so… your network & all of it’s secrets are also possibly exploitable.
It’s easy to assume that there was some big server which contained a whole lot of useful data that just happened to be internet facing and that the bad guys were finally able to exploit… but that is usually not the case.
Ever get an email that looks to be from your bank asking you to confirm your info? We call those ‘phishing’ attacks, broad attempts at tricking unsuspecting people to give up their name, address, SSN, password, you name it.
There is a separate class, the spear-phishing attack which relies on explicit targeting of someone with a email & link or other targeted attack that would seem innocent to the victim.
Lets say I trick you (or any number of employees at your company) to click on a link that you think rather innocuous, unknown to you I installed some malware on your PC as a result which allows me now to do things on your corporate network.
Even if you do not have access to the master HR database, you probably have access to lookup who owns such a thing based on department or job function.
Now I sent an email (from your account) to someone on the HR team who I think might… using a similar spear-phishing attack (why wouldn’t they read the email from a fellow employee who was raising a concern via an external link?).
If they happen to become infected I’ve not only increased the # of PCs I remotely control, but I have escalated my access of the network to a different group. Maybe this person too doesn’t have access to the master DB, maybe their boss does. How do you think that boss would react to an email from their direct report which seems rather legit with a link about an issue that was recently discussed in previous emails?
Not long after 9/11 there was the proposal that every government employee have two PCs… one connected to a fully private government intranet, and one which had access to the internet. So long as no PC was ever connected to both, this strategy would work as it would be physically impossible for some remote bad guy to take control of a ‘private’ machine and use it further… that never happened. Instead we have this mix of machines which have access to the public internet and also have access to private networks.
In the world of computer security it is a delicate balancing act between convenience and security, and far too often due to pressures from on high, convenience tends to win out.
“Lets say I trick you (or any number of employees at your company) to click on a link that you think rather innocuous, unknown to you I installed some malware on your PC as a result”
Where I work, we don’t have privileges to install software on our local machines or network. If you try to install anything executable, a warning pops up to call IT. You can’t even install something as innocuous as a screen saver. One of my colleagues tried to plug a USB digital photo frame into his work PC, and he got the “call IT” lock screen, and it turns out it was sneakily trying to install something on his local computer. And email attachments, like .pdfs and .docs, only open in a “quarantine” area, where they are scanned before we’re allowed to do anything with them.
It’s weird that a small defense contractor in the boonies has more malware protection than the US government??
This contract like so many others was awarded for and with political considerations over technical qualifications.It is the obama way, he explained this is how things get done in Washington and Chicago.
we should ask them for Hillary’s emails
They’re selling it as a win !!
“Thanks to them” the intrusion was detected. They’re the best. (Never mind that their job was to PREVENT the intrusion from happening in the first place.)
My 20 bucks say that “update” was improperly deployed/configured and that’s when they became vulnerable to an attack.
We’ll never know for sure, ’cause there will be no real investigation and nobody will be fired.
Exiliado, you beat me to the post! I was going to comment the same. Gee, aren’t we clever? We detected a break-in!”
That makes me feel so secure!
I don’t think whoever wrote that, could have written it with a straight face. How could you not laugh??!! Ridiculous!
“The System Worked!”
“Protecting our federal employee data from malicious cyber incidents is of the highest priority at OPM,”
So they’ve failed miserably at their highest priority? Makes me feel all warm and fuzzy.
The New York Post had some further news from that meeting where women (and men) were charged $2,700 to be in the same room with Hillary Clinton.
Hillary Clinton said that the White House would not have been hacked had they been using her server.
I don’t think she intended this to be taken as a joke.
She also took the opportunity to praise NY Rep. Carolyn Maloney (who was there?) for her efforts to get money for first responders for alleged health harm from working at ground Zero after the attacks.
This was practically the only issue Hillary Clinton concerned herself with during her time in the Senate, and to soem degree, it was a scam, notwithstanding the fact that a lot of people did not wear masks, because it was not approeciated by many people how bad smoke inhalation was.