Update: US government data breach exposes 4 million employees

Experts say the US government should have been better prepared for a massive data breach that exposed the personal details of over four million employees.

US Office of Personnel Management
US Office of Personnel Management

According to a report from Associated Press, China-based hackers are suspected of the break-in.

The Department of Homeland Security (DHS) said that the FBI is investigating a breach at the Office of Personnel Management (OPM) and the Interior Department.

Senator Susan Collins, a Republican from the state of Maine and member of the Senate Intelligence Committee, pinned the blame on hackers based in China.

However, the Chinese Foreign Ministry in Beijing has reportedly denied the claim, standard practice following allegations of Chinese involvement. He said hacking is a transnational activity and without corroborating evidence, it's difficult to identify the source of an attack.

The breach could impact every federal agency, as OPM serves as the human resources department for the federal government, and it conducts more than 90 percent of federal background investigations.

The breach is thought to have started in May and was detected by the Department of Homeland Security's intrusion detection system, known as EINSTEIN

Experts were quick to draw lessons from the breach which resembles so many that have come before it, agreeing that the consequences for government employees are high.

James Maude, security engineer at endpoint security software firm Avecto, said that federal employees would be especially concerned that OPM was breached as the department conducts detailed and thorough background checks. “Federal employees will be especially concerned as OPM will store highly detailed information that would be more than enough to identify someone, compromise their identity or monitor them,” he said. This could include US intelligence agency staff.

"In terms of sensitive data, whoever carried out this attack has hit the mother lode,”said Chris Boyd, malware intelligence analyst at Malwarebytes. “If reports are correct and a huge number of government employees details have been compromised, then this could not only be used for financial gain, but also as the basis for targeted attacks through spear phishing. Government employees pose a lot of interesting opportunities for so-minded individuals, and a stolen database of their details has a lot of value.”

Avecto's James Maude suggested several vulnerabilities that could have made the attack possible. “What is often clear in these attacks is that most current defences are not sufficient to deal with the attacks. Many still rely on signature-based detection to identify the known bad, an idea that is fundamentally flawed and unable to keep up with the volume of attacks. Another big problem is over-privileged users, in Government this is often referred to as 'the Snowdon problem' where users are given wide reaching powers and access with little or no oversight. When threats cannot be identified and users can access too much you create the perfect environment for a data breach.”

Grayson Milbourne, security intelligence director at Webroot called on the US government to rethink its security. “Clearly, the government's approach to cyber-security needs to be reformed, prioritized and accelerated. That the breach might have been carried out by the Chinese does not absolve the OPM of blame. The issue here is the government's technological failings and what it should be doing to prevent future attacks.”

James Maude, Security Engineer at endpoint security software firm Avecto, said blaming the Chinese was pointless. “It is time for organisations to start to rethink security and become proactive. The focus needs to shift from blame and attribution to a more productive environment of evolving defences and becoming proactive in defence. Security is a journey, not a destination and pointing the finger of blame does nothing to move your own security further down this road.”

Piers Wilson, product manager at Huntsman Security reiterated the theme of preparation. “Enterprises must be able to detect and triage increasingly sophisticated and well-funded attacks. Since there is no way of predicting where the next attack will come from, and what form it will take, being able to detect evidence of a breach and react in order to contain the threat in the shortest time possible will be critical. Whether an attack comes from a newly discovered virus, a previously unknown vulnerability, or the actions of an employee, the enterprise has to be prepared to spot potentially dangerous behaviour,” he said.

And when all else fails – and the general consensus is that it will – then be prepared for it.

“The best way for organisations to do this is to assume that their security has already been compromised. Security then becomes a matter of minimising, and where possible eliminating, damage caused by attacks. Encrypting sensitive data, so that even if stolen it is essentially useless to attackers, is one step that should by this point be compulsory. The ability to isolate potentially infected systems is another. However, organisations of any size should ensure they take an all-encompassing approach to security to prevent the risk of serious damage,” said Chris McIntosh, CEO at ViaSat UK.