lolloj - Fotolia

Basic security could have prevented OPM breach, says report

Basic security controls and malware-detection tools could have prevented the breach of more than 21 million records at the US Office of Personnel Management in 2015, claims a congressional report

Basic security controls could have prevented the breach that exposed the personal data of more than 21 million current and former government employees, according to a congressional report.

The 2015 breach at the US Office of Personnel Management (OPM) included 19.7 million background investigation applications and 1.8 million non-applicants.

The breach was in addition to the 4.2 million records exposed in the first OPM breach in December 2014, which the report said was a missed opportunity to put effective defences in place.

The report by the House Committee on Oversight and Government Reform said the OPM failed to recognise from the 2004 breach that it was vulnerable to attacks by sophisticated, persistent adversaries, and failed to put in place the basic necessary security controls, reported Associated Press.

The congressional report said the OPM also failed to deploy security tools to detect malicious code and other threats quickly enough. When such a tool from security firm Cylance was eventually deployed, it found malware throughout the federal computers, according to an engineer quoted in the report.

In an interview, committee chairman Jason Chaffetz said that the breach was entirely preventable. “With some basic hygiene, some good tools, an awareness and some talent, they really could have prevented this,” he said.

The report stated that for two months after the first breach in March 2014, the OPM worked with the FBI, the National Security Agency (NSA) and others to monitor the intruder and developed a plan to expel the individuals or individuals responsible from the network, but they failed to detect another, possibly related, intrusion.

The second intruder used credentials stolen from a third-party contractor to log into the OPM network, install malware and create a back door to return several times in the following months to copy the data, which also included personnel files and fingerprint data.

OPM acting director Beth Cobert said in a statement that the agency disagrees with much of the report. The report “does not fully reflect where this agency stands today,” she said, adding that the hack “provided a catalyst for accelerated change” within the OPM, including hiring new cyber security experts and strengthening its security.

Read more about cyber security

The OPM hack is widely believed to have been part of a China-based cyber espionage campaign, and although the report does not give any details about who was responsible, it said the breaches were likely perpetrated by the group Deep Panda, which has been linked to the Chinese military.

CESG director of cyber security Alex Dewdney told RSA Conference 2016 in San Francisco that the OPM hacks were “very scary” for those responsible for UK government cyber security.

“It scared people who had not thought much about cyber security,” he said, adding that this was really helpful because it resulted in the recognition by the UK government of the need to reform the role of its senior information risk office (Siro).

The breaches inspired a fast-paced survey of the UK government’s holdings of bulk data, said Dewdney, as well as a measurement of the extent government departments were adhering to a “fairly basic set” of control measures, which in turn led to remedial action.

Read more on Privacy and data protection