The US Office of Personnel Management (OPM) recently released details about two cybersecurity incidents that impacted the data of Federal employees, contractors and others. In April 2015, it was discovered that the security incident led to the breach of 4.2 million current and former employees. While investigating this incident, it was discovered the breach was larger than originally thought.
The OPM now says that 21.5 million individuals were affected by this breach, with information including Social Security Numbers (SSNs), residency information as well as detailed personal and financial information from background investigations. This applies to those who applied for a background investigation, as well as some non-applicants. Other news organizations are stating that the breach may be as high as 25 million individuals affected, which is about 7% of the US population.
This breach has many concerned given the detailed level of information involved, particularly if those affected are federal workers, military personnel or those with high security clearances. The source of the hack has been connected to China, causing many to be concerned over the future use of the stolen information.
The OPM has already faced many congressional hearings and is facing two lawsuits (so far) related to the breach already. It has come to light that the OPM may have a history of overlooking issues with its IT infrastructure that may have contributed to the breach. While this breach certainly is one of the most concerning to date, it also offers valuable learning opportunities for both public and private organizations:
- Keep all systems up to date, applying regular patches instead of scheduling them for a later time. The longer systems remain unpatched, the greater the risk they will be exploited. Many OPM systems lacked patches or were running without valid authorization.
- Conduct, and respond to, regular risk assessments that look both at how data is stored and how data is accessed. The OPM failed to act on a report citing issues with tracking devices, encryption and other basic security standards. The OPM had no active inventory of servers or systems connected to its networks, nor proper authentication for remote access.
- Make security a priority from the top-down, with board-level and C-level involvement in security, a strong IT security team, and a leadership role such as a CISO. The OPM had no IT security staff until 2013, an oversight which still shows.
- Be prepared for a breach, with a data breach response plan and a trained team to handle the incident. This can help both mitigate the breach and its fallout