The federal government announced to the world yesterday that Chinese hackers had penetrated its computer systems, potentially putting the personal information of at least 4 million current and former federal employees at risk.
Here are more details of what we know about the history and scope of this incident and what OPM is telling affected federal workers to do.
A little history
This is not the first hacking incident OPM has suffered. In March of 2014, Chinese hackers also broke into OPM’s computer systems, apparently in search of tens of thousands of employees who had applied for top secret security clearances.
Much like this time, the incident didn’t hit the news until a few months after it occurred. Note that the date of the story linked to in the New York Times was in July 2014 even though the incident took place in March 2014. The article did note, however, that the attack was particularly noteworthy because Chinese hackers attempt to break into OPM’s servers almost daily but had rarely succeeded.
Fast forward to June 2015 and again we have reports that Chinese hackers broke into OPM’s computer systems. This time, the problem is much larger. In fact, officials have said it could be the largest breach to ever impact government computers.
As many as 4 million current and former federal employees could have had their Social Security numbers, names and addresses compromised, and it’s possible that even greater numbers were affected. The American Federation of Government Employees (AFGE) said in a statement that all 2.1 million current federal employees and an additional 2 million federal retirees and former federal employees may have been compromised. The breach apparently consisted of a covert system put in place to harvest information while remaining undetected.
According to the New York Times, it is unclear whether the break in was espionage or just for commercial gain. If the latter, federal employees would be wise to keep a close eye on their personal accounts for suspicious activity, especially if OPM contacts them and says they were among the federal workers whose data was exposed. OPM’s chief information officer said that the volumes of information the agency has about so many people makes it a popular target.
CNN reported that the purpose of the hack appears to be building a massive database of federal workers’ personal information to be used by the Chinese for future attacks against the United States. CNN described the tactic this way:
The [US government] experts said that the goal behind the attack is to build a database of federal employees — using the stolen personal information to fool and impersonate government workers — to set up future “insider” attacks. By revealing who has security clearances and at what level, the Chinese may now be able to identify, expose and blackmail U.S. government officials around the world, the experts added.
Other reports have said the data provide useful ammunition for spies. “They’re able to identify people who are in positions with access to significant national security information and can use personal data to target those individuals,” said Dan Payne, a senior counterintelligence official for the Director of National Intelligence.
OPM has not said whether payroll data or other financial records were compromised. Other news reports have said that potentially every federal agency could be affected by the breach. Employees of the legislative and judicial branches and uniformed military personnel were not affected.
TSP participants should note that their accounts were not impacted by this breach. The TSP released a statement today which said that TSP account numbers are not shared with OPM.
China is in full plausible deniability mode of course. Representatives from the Chinese government basically said in response to the accusations, “prove it.”
This brings us to OPM’s response to the incident. OPM said that within the last year, it has “undertaken an aggressive effort to update its cybersecurity posture, adding numerous tools and capabilities to its networks.” This was done, presumably, in response to the last break in that took place in 2014 since the agency said the changes were put in place within the last year.
OPM then says in its press release that because of this “aggressive effort” in upgrading its cybersecurity systems, it discovered the new breach in April that was not reported until yesterday. Kind of makes you wonder what would have happened if they hadn’t made these security upgrades—would the break-in have just gone undiscovered?
The Department of Homeland Security said a detection system called EINSTEIN was used to find the breach. The EINSTEIN system screens federal Internet traffic to identify potential cyber threats and identified the hack of OPM’s systems. DHS said it’s continuing to monitor web traffic for suspicious activity.
To its credit, OPM also said that it has implemented new security measures in the wake of this second computer breach to protect the sensitive information it manages (namely, your personal data). Some of the new measures it has put in place include:
- restricting remote access for network administrators and restricting network administration functions remotely;
- a review of all connections to ensure that only legitimate business connections have access to the internet;
- deploying anti-malware software across the environment to protect and prevent the deployment or execution of tools that could compromise the network
White House response
In a June 5 press conference, White House press secretary Josh Earnest was largely evasive on questions aimed at specifics of the hacking incident. Earnest said that the situation is still under investigation by the FBI and any new information would be forthcoming from that agency. He would not offer a response when asked if China was behind the cyberattack, saying, “No conclusions about the attribution of this particular attack have been reached at this point.”
Earnest did say that the fact that government computers are at risk was “not news” because of how computer security risks are always evolving. He was asked if he could respond to past reports which had said that security of OPM’s computers was lacking. Earnest said:
The threat that we face is ever-evolving, and that means that our defenses need to be ever-evolving. So to say that our computer systems in the federal government are at risk is not news. We understand that there is this persistent risk out there.
This is a risk, by the way, that is shared by the private sector. All of the computer networks at your organizations are also at risk. And you have dedicated professionals that do the same thing, which is make sure that you’re using as much technology as possible and that you remain vigilant about protecting those systems and using defenses that can be regularly updated and modified to reflect the threat environment.
When asked about the purpose of the attack and what the hackers might be seeking, Earnest again deferred to waiting on results from the FBI investigation, but also added, “Regardless of who it is and regardless of what their ultimate aim is, the administration takes this very seriously and recognizes it as a threat to our national security and a threat — potentially a threat to our economy, but certainly some risk that is being put upon a significant number of current and former federal government employees. And we take this very seriously, and I think that’s why you’ve seen such a serious response from the federal government in reaction to it.”
What’s a federal employee to do?
If you were one of the individuals potentially impacted by this computer breach, OPM will be contacting you soon. Here’s what OPM said it is going to be doing for the affected individuals:
Beginning June 8 and continuing through June 19, OPM will be sending notifications to approximately 4 million individuals whose Personally Identifiable Information was potentially compromised in this incident. The email will come from email@example.com and it will contain information regarding credit monitoring and identity theft protection services being provided to those Federal employees impacted by the data breach. In the event OPM does not have an email address for the individual on file, a standard letter will be sent via the U.S. Postal Service.
For a complete run down of the information OPM has provided for federal employees about the incident, be sure to see my blog post: Information From OPM About Cyber Attack. OPM has provided federal employees with steps to take and resources about identity theft and will also be offering free credit monitoring services to affected individuals.
In the 21st century, your personal information is on file everywhere, like it or not. This is a grim reminder of why identity theft protection is a must since things like this happen which are completely out of your control and leave you at risk.
OPM has provided some resources for ID monitoring services in the information it released, and Zander Insurance also offers a comprehensive and affordable ID theft protection program that will reimburse you for losses and take care of all of the paperwork involved with fixing a breach to your identity.
If you have other ID theft prevention tips, feel free to share them in the comments. If you are one of the federal employees affected by the breach, please feel free to share your experience with regards to what happened, what information you received from OPM and how you ultimately resolved any problems. We are hopeful that all of our readers will get through this unfortunate incident with as little grief and hassle as possible.