On June 4th, 2015 the Office of Personnel
Management (OPM) announced that their network which included millions of
federal employee records was compromised. Facts about the breach reflect a
common fact pattern; the breach resulted from alleged state-sponsored hacking,
and personally identifiable information was compromised. What made this breach different from others is
the size and scope of the information stolen. This breach may have gone far
beyond social security numbers and dates of birth, and may have been connected
to an earlier breach in 2013.
OPM’s Chief Information Security Officer, Donna Seymour,
recently testified at a House Oversight hearing that during the 2013 breach hackers
took "some manuals about our systems." While the 2013 breach was initially
downplayed, there is current speculation that it could have provided a roadmap
to penetrate OPM networks for the recent breach. The breach likely involved personally
identifiable information from security clearance records and background check
information, including metal illness and drug and alcohol use records.
The number of records compromised remains uncertain as OPM’s
estimate of 4.2 million records has come into question. James Coomey of the Federal
Bureau of Investigation states the number could be 18 million based on OPM’s
initial investigation report.
OPM’s data breach response has provided valuable lessons for
other organizations that may find themselves in a similar situation:
- After an intrusion is detected, regardless of
whether or not data was compromised, appropriate steps need to be taken to
remediate any vulnerability. This may involve significant yet necessary
investment in IT infrastructure to prevent cyber attacks in the future.
- The general public will be much less forgiving
of a second intrusion, especially if they believe it could have been prevented
from lessons learned in the first attack.
- Any announcement regarding the exact number or
types of records impacted must be correct the first time.
While no two breaches are exactly alike, there are generally
accepted best practices that should be followed in order to mitigate both the
financial and reputational harm that will occur.
Other government hacks clearly
indicate the force and will of those seeking to carry out an attack on
organizations. Cyber attacks and data protection is a growing threat for all
organizations, private and public sectors and should be a topic discussed
before an event occurs, not after the fact. Contact a HUB cyber expert who can bring
experience and counsel to help you reduce the threat of a cyber attack to your
a HUB Cyber Expert.