Follow-Up Friday: A Year After US Gov Got Hacked, It’s Still A Mess
Maybe the worst hack ever exposed millions of sensitive personnel files. Here’s where we stand now. It’s not reassuring.
--
JULY 8, 2015
The Obama administration revealed that 21.5 million people were made vulnerable through a massive breach of government computer systems that resulted in the theft of social security numbers, fingerprints and other personal information.
THE CONTEXT
The damage was far greater than anyone thought. The attack on the Office of Personnel Management (OPM), which is believed to have originated in China, was the largest known hack of 2015. Basically, anyone who had had a government background check within the last 15 years was likely affected. Days later, amid an intensifying backlash, director Katherine Archuleta resigned.
After the news broke, things got worse. In September, OPM admitted the number of federal employees’ fingerprints compromised had grown from 1.1 million to 5.6 million.
ONE YEAR LATER
OPM has been working to better secure its databases and eventually move the background investigations database under the control of the Department of Defense. I called OPM to see what’s changed. Here’s what it has done:
- Deployed two-factor authentication for all users
- Put a continuous monitoring system into place for all IT systems
- Hired a cybersecurity advisor
- Hired Cord Chase as Chief Information Security Officer to supervise a newly established, centralized IT security workforce
- Limited remote access to government-owned computers, rather than personal devices.
- Deployed lots of new cybersecurity tools like software that prevents malware programs and a data loss prevention system.
- Strengthened cybersecurity awareness training for the staff.
But a May independent audit report is critical of the efforts, saying that OPM moved too fast to shore up its IT without evaluating the cost of its solutions, and concluding that there is “a very high risk that the project will fail to meet its stated objectives of delivering a more secure environment at a lower cost.”
For a bit of perspective, I spoke with Morgan Wright. He’s a cybersecurity analyst and senior fellow with the think tank Center for Digital Government who was also a victim of the attacks. He’s still angry. “I had 37 pages of the most intimate details of my life breached,” said Wright, referencing the security clearance questionnaire he’d first filled out in 2001 to gain clearance for some Department of Defense projects. “I gave it to the government because they wanted to trust me.” He says he received notice that his information had been compromised on December 11 — nine months after the attack occurred.
Not surprisingly, Wright doesn’t feel the federal government has done enough to protect against future attacks. “I have zero faith in the civilian portion of the federal government to defend and protect my information,” says Wright.
Indeed, in government and in business, the threat of cyberattack is rising. The nonprofit Identity Theft Resource Center tracked 781 data breaches in the United States last year. It reported that 177 million personal records were exposed in data breaches in 2015. That’s double the 85.6 million records that were exposed in 2014.
Meanwhile, a tenth of the OPM victims have yet to be notified because letters didn’t reach them. “We have worked to get updated addresses for those whose letters were returned, and we are now remailing letters to those who did not receive their original notification letter for the background investigation incident,” an OPM spokesperson told me.
If you’ve still got questions, you’re not the only one. The OPM attempts to answer them here.
Follow-Up Friday is a weekly series that will call out a news event from recent history, put it in historical context, and update you on what’s become of the issue or event. At Backchannel, we want to think more holistically about tech news, and we want to help you do the same. We think that’s the way to best understand the single narrative of our time — the impact of the rise of the Internet. And we welcome you to continue the discussion by responding below.
