The Office of Personnel Management (OPM) manage the hiring, work conditions and pensions of Federal employees in the US. This week it has admitted to being the target of a massive cyberattack that has stolen the details of almost 4m Federal government employees.
The fallout of this is likely to go on for several months as government committees and other organisations hold multiple hearings in order to place the blame. However, the US Government has only to look back to 2012 when a report from DARPA to the Senate Defence Committee said: “..all networks [we monitor] are compromised and money spent on securing network access should be spent on securing the data.”
Questions that need answering
There are a number of questions that will need answering quickly. The first is why there is no two-factor authentication for federal systems. The US Government already uses the Common Access Card (CAC) which delivers two-factor authentication to secure buildings, sites and some computer systems. Why this is not ubiquitous will be a major focus.
EINSTEIN, the Department of Homeland Security intrusion detection system, discovered the attack but only after vast amounts of data were copied. Why it failed to spot the attack earlier and before so much data had been copied will worry many. After all, this is not the first breach of federal data in recent months and it will be interesting to see how long EINSTEIN remains the first line of defence.
Building on the comment from three years ago by DARPA, it will concern many that this data appeared to be unencrypted. Best practice for any sensitive personal data is that it is stored encrypted. Many will want to know why US Government departments, especially one such as the OPM with such large amounts of personal data was failing to meet such basic best practice.
There are many other questions that will be asked over the next few months but one thing that many are currently ignoring is what OPM did to alert users.
OPM quick to issue advice to employees
One of the issues that we have seen with the attacks against Target, Home Depot and other large organisations is that their response to protect staff and customers has often been slow and very limited. In this case, the OPM has responded with a release that details what action it will be taking and what action employees should take to help protect themselves.
It has laid out a timetable whereby it will notify all employees whose PII is believed to have been compromised. This will start on June 8th and will take 11 days to be completed which might seem like a long period until you realise that this means dealing with just under 400,000 notifications per day.
Interestingly it has also chosen to name the email account from which the notifications will come. This is a risk as it assumes users are cyber aware enough to spot when cyber criminals send out emails purporting to be from that account while redirecting responses to a different email address.
The OPM has also offered all affected individuals 18 months of credit monitoring and fraud detection with CSID. The deal also includes $1 million in identity theft protection services at no extra cost to those enrolled. This is a smart move and sets a standard for private companies to match.
The OPM has also provided a set of contact details for those in California, Kentucky, Maryland and North Caroline. All other employees will have to use the Washington based Identity Theft Clearinghouse. The guidance advice and information on how to avoid being a victim is:
OPM has issued the following guidance to affected individuals:
- Monitor financial account statements and immediately report any suspicious or unusual activity to financial institutions.
- Request a free credit report at www.AnnualCreditReport.com or by calling 1-877-322-8228. Consumers are entitled by law to one free credit report per year from each of the three major credit bureaus – Equifax®, Experian®, and TransUnion® – for a total of three reports every year. Contact information for the credit bureaus can be found on the Federal Trade Commission (FTC) website, www.ftc.gov.
- Review resources provided on the FTC identity theft website, www.identitytheft.gov. The FTC maintains a variety of consumer publications providing comprehensive information on computer intrusions and identity theft.
- You may place a fraud alert on your credit file to let creditors know to contact you before opening a new account in your name. Simply call TransUnion® at 1-800-680-7289 to place this alert. TransUnion® will then notify the other two credit bureaus on your behalf.
How to avoid being a victim:
- Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.
- Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person’s authority to have the information.
- Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.
- Do not send sensitive information over the Internet before checking a website’s security (for more information, see Protecting Your Privacy, http://www.us-cert.gov/ncas/tips/ST04-013).
- Pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).
- If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information. Information about known phishing attacks is also available online from groups such as the Anti-Phishing Working Group (http://www.antiphishing.org).
- Install and maintain anti-virus software, firewalls, and email filters to reduce some of this traffic (for more information, see Understanding Firewalls, http://www.us-cert.gov/ncas/tips/ST04-004; Understanding Anti-Virus Software, http://www.us-cert.gov/ncas/tips/ST04-005; and Reducing Spam, http://www.us-cert.gov/ncas/tips/ST04-007).
- Take advantage of any anti-phishing features offered by your email client and web browser.
- Employees should take steps to monitor their personally identifiable information and report any suspected instances of identity theft to the FBI’s Internet Crime Complaint Center at www.ic3.gov
Now the attack has happened the OPM is doing a good job of getting information and advice out to Federal employees. Their reaction is something that a lot of companies should be taking close note of and looking to incorporate into their own incident response.
As to the attack itself, we will be hearing about this for some time to come. However, it remains to be seen if this is finally the point at which the US Government acts on recommendations and brings its own security in line with industry best practice.