lolloj - Fotolia
Basic security controls could have prevented the breach that exposed the personal data of more than 21 million current and former government employees, according to a congressional report.
The 2015 breach at the US Office of Personnel Management (OPM) included 19.7 million background investigation applications and 1.8 million non-applicants.
The breach was in addition to the 4.2 million records exposed in the first OPM breach in December 2014, which the report said was a missed opportunity to put effective defences in place.
The report by the House Committee on Oversight and Government Reform said the OPM failed to recognise from the 2004 breach that it was vulnerable to attacks by sophisticated, persistent adversaries, and failed to put in place the basic necessary security controls, reported Associated Press.
The congressional report said the OPM also failed to deploy security tools to detect malicious code and other threats quickly enough. When such a tool from security firm Cylance was eventually deployed, it found malware throughout the federal computers, according to an engineer quoted in the report.
In an interview, committee chairman Jason Chaffetz said that the breach was entirely preventable. “With some basic hygiene, some good tools, an awareness and some talent, they really could have prevented this,” he said.
The report stated that for two months after the first breach in March 2014, the OPM worked with the FBI, the National Security Agency (NSA) and others to monitor the intruder and developed a plan to expel the individuals or individuals responsible from the network, but they failed to detect another, possibly related, intrusion.
The second intruder used credentials stolen from a third-party contractor to log into the OPM network, install malware and create a back door to return several times in the following months to copy the data, which also included personnel files and fingerprint data.
OPM acting director Beth Cobert said in a statement that the agency disagrees with much of the report. The report “does not fully reflect where this agency stands today,” she said, adding that the hack “provided a catalyst for accelerated change” within the OPM, including hiring new cyber security experts and strengthening its security.
Read more about cyber security
- The UK’s National Cyber Security Centre (NCSC) is to be the UK's one-stop authority on infosec, based in London and led by GCHQ's Ciaran Martin
- Government has announced a £250,000 programme to increase the rate of cyber security startup development in the UK
- An essential part of information security is identifying and managing the risks, experts tell the European Information Security Summit 2016
- Chancellor George Osborne promises a £1.9bn investment in cyber security over the next five years and to “aggressively defend” public services from cyber
The OPM hack is widely believed to have been part of a China-based cyber espionage campaign, and although the report does not give any details about who was responsible, it said the breaches were likely perpetrated by the group Deep Panda, which has been linked to the Chinese military.
CESG director of cyber security Alex Dewdney told RSA Conference 2016 in San Francisco that the OPM hacks were “very scary” for those responsible for UK government cyber security.
“It scared people who had not thought much about cyber security,” he said, adding that this was really helpful because it resulted in the recognition by the UK government of the need to reform the role of its senior information risk office (Siro).
The breaches inspired a fast-paced survey of the UK government’s holdings of bulk data, said Dewdney, as well as a measurement of the extent government departments were adhering to a “fairly basic set” of control measures, which in turn led to remedial action.