One Year After OPM Data Breach, What Has The Government Learned?
This week marks a year since the government first revealed that hackers had stolen personnel files of some 4 million current and former federal employees.
About a month later, that number grew to more than 20 million people, including contractors, family members and others who had undergone background checks for federal employment. Everything, from Social Security numbers to birth dates, even fingerprint records, was accessed through Office of Personnel Management networks.
"Massive Data Breach," the headlines called it.
So has anything changed in the succeeding 12 months?
Acting OPM Director Beth Cobert thinks so. "There's a whole series of things around technology, around people, and around process that are different today than a year ago," she says.
Cobert is herself one of the changes at OPM, named to replace Katherine Archuleta, who resigned under pressure from Congress last July.
Cobert says cybersecurity has been amped up at OPM under her watch. The agency now requires employees to use two-factor authentication to log into their computers, meaning a password and a secure card. Employees can no longer access their Gmail accounts from their office computers. OPM has also implemented new tools to detect malware. Colbert says the government can see all the devices connected to its networks as well as monitor the data moving into and out of the system.
"There's a whole series of multilayer defenses we've put into our systems," she says.
It's still unclear how exactly the data were stolen, but investigators believe that hackers may have gained access to the government system through a contractor's website. So the Departments of Defense and Homeland Security have been helping OPM design a new, more secure software system to allow the personnel agency to conduct its own government background checks rather than outsourcing them.
"[OPM] had older systems, that needed to be modernized," says Ann Barron-DiCamillo, who led the DHS cyber team that investigated the OPM breach. "They had neglected networks from the perspective of putting in the cybersecurity sensors and technologies that they need to find adversaries in the network."
Plus, OPM workers were using weak usernames and passwords, she says. "The majority of things that were hitting OPM at that time was going to be your typical phishing scams, you know, targets of opportunity," Barron-DiCamillo tells NPR's Audie Cornish. Barron-DiCamillo says much attention has been paid to brand-new vulnerabilities, but in many cases, on older civilian systems, hackers exploit older vulnerabilities that have existing fixes that aren't adopted fast enough — in many cases out of budget constraints.
"[The OPM hack] brought into the forefront that smaller-sized, medium-sized agencies that didn't consider themselves to be such a threat to cyberactivity from data thieves, that they also have this potential publicity associated with becoming a target and becoming a victim," Barron-DiCamillo says. "They have increased the spending associated with that or are asking Congress for increased budgets."
Rep. Will Hurd, chairman of the information technology panel of the House Oversight Committee, says OPM may be moving in the right direction now, but vulnerabilities remain across government agencies — whether it's the Department of Education, which he says has "tons of information on anyone who's going to school," or the Social Security Administration.
"They're not even adopting some of the best practices when it comes to good digital system hygiene," says Hurd, a former CIA agent whose personnel records were among those hacked.
It took OPM some six months to formally notify the millions who had their records breached. They're now eligible for three years of credit monitoring and identity theft protection services.
Hurd says he personally hasn't noticed any ill effects from the stolen records, but Ryan Lozar thinks he has.
The former federal court law clerk says he froze his bank accounts after someone spent thousands at Best Buy in his name and opened a PayPal account. The hack has caused him "endless explaining, explaining, explaining," dealing with his banks," Lozar says. "It's just kind of exhausting and frustrating."
Lozar is a plaintiff in a class-action suit filed against the government by the American Federation of Government Employees. Among other things, it seeks monetary damages as well as lifetime credit monitoring and identity theft protection for the affected people. A hearing is expected this fall.
Barron-DiCamillo says her information was also part of the breach. She encourages those affected to use the free credit monitoring and identity theft protection services — and make sure to monitor them.
"There's an interesting discussion I heard from OPM that they should even offer [lifetime identity theft protection] as part of federal benefits, because of the kinds of data that they mandate that we provide to them when we sign up for service in federal government," says Barron-DiCamillo, who's now chief technology officer at Strategic Cyber Ventures. "I thought that was a great idea; I think they should look toward providing this as a benefit, just like health care that they provide for federal employees."
Government officials have pointed to China as being behind the breach. Whoever it is, Cobert acknowledges that the U.S. government still has work to do.
"There's a whole set of adversaries out in the world who keep looking for bad things," she says, "and we've got to fundamentally modernize our systems to build in security by design."
Copyright 2021 NPR. To see more, visit https://www.npr.org.