One Year After OPM Data Breach, What Has The Government Learned? | KERA News

One Year After OPM Data Breach, What Has The Government Learned?

Jun 6, 2016
Originally published on June 9, 2016 3:58 pm

This week marks a year since the government first revealed that hackers had stolen personnel files of some 4 million current and former federal employees.

About a month later, that number grew to more than 20 million people, including contractors, family members and others who had undergone background checks for federal employment. Everything, from Social Security numbers to birth dates, even fingerprint records, was accessed through Office of Personnel Management networks.

"Massive Data Breach," the headlines called it.

So has anything changed in the succeeding 12 months?

Acting OPM Director Beth Cobert thinks so. "There's a whole series of things around technology, around people, and around process that are different today than a year ago," she says.

Cobert is herself one of the changes at OPM, named to replace Katherine Archuleta, who resigned under pressure from Congress last July.

Cobert says cybersecurity has been amped up at OPM under her watch. The agency now requires employees to use two-factor authentication to log into their computers, meaning a password and a secure card. Employees can no longer access their Gmail accounts from their office computers. OPM has also implemented new tools to detect malware. Colbert says the government can see all the devices connected to its networks as well as monitor the data moving into and out of the system.

"There's a whole series of multilayer defenses we've put into our systems," she says.

It's still unclear how exactly the data were stolen, but investigators believe that hackers may have gained access to the government system through a contractor's website. So the Departments of Defense and Homeland Security have been helping OPM design a new, more secure software system to allow the personnel agency to conduct its own government background checks rather than outsourcing them.

"[OPM] had older systems, that needed to be modernized," says Ann Barron-DiCamillo, who led the DHS cyber team that investigated the OPM breach. "They had neglected networks from the perspective of putting in the cybersecurity sensors and technologies that they need to find adversaries in the network."

Plus, OPM workers were using weak usernames and passwords, she says. "The majority of things that were hitting OPM at that time was going to be your typical phishing scams, you know, targets of opportunity," Barron-DiCamillo tells NPR's Audie Cornish. Barron-DiCamillo says much attention has been paid to brand-new vulnerabilities, but in many cases, on older civilian systems, hackers exploit older vulnerabilities that have existing fixes that aren't adopted fast enough — in many cases out of budget constraints.

"[The OPM hack] brought into the forefront that smaller-sized, medium-sized agencies that didn't consider themselves to be such a threat to cyberactivity from data thieves, that they also have this potential publicity associated with becoming a target and becoming a victim," Barron-DiCamillo says. "They have increased the spending associated with that or are asking Congress for increased budgets."

Rep. Will Hurd, chairman of the information technology panel of the House Oversight Committee, says OPM may be moving in the right direction now, but vulnerabilities remain across government agencies — whether it's the Department of Education, which he says has "tons of information on anyone who's going to school," or the Social Security Administration.

"They're not even adopting some of the best practices when it comes to good digital system hygiene," says Hurd, a former CIA agent whose personnel records were among those hacked.

It took OPM some six months to formally notify the millions who had their records breached. They're now eligible for three years of credit monitoring and identity theft protection services.

Hurd says he personally hasn't noticed any ill effects from the stolen records, but Ryan Lozar thinks he has.

The former federal court law clerk says he froze his bank accounts after someone spent thousands at Best Buy in his name and opened a PayPal account. The hack has caused him "endless explaining, explaining, explaining," dealing with his banks," Lozar says. "It's just kind of exhausting and frustrating."

Lozar is a plaintiff in a class-action suit filed against the government by the American Federation of Government Employees. Among other things, it seeks monetary damages as well as lifetime credit monitoring and identity theft protection for the affected people. A hearing is expected this fall.

Barron-DiCamillo says her information was also part of the breach. She encourages those affected to use the free credit monitoring and identity theft protection services — and make sure to monitor them.

"There's an interesting discussion I heard from OPM that they should even offer [lifetime identity theft protection] as part of federal benefits, because of the kinds of data that they mandate that we provide to them when we sign up for service in federal government," says Barron-DiCamillo, who's now chief technology officer at Strategic Cyber Ventures. "I thought that was a great idea; I think they should look toward providing this as a benefit, just like health care that they provide for federal employees."

Government officials have pointed to China as being behind the breach. Whoever it is, Cobert acknowledges that the U.S. government still has work to do.

"There's a whole set of adversaries out in the world who keep looking for bad things," she says, "and we've got to fundamentally modernize our systems to build in security by design."

Copyright 2018 NPR. To see more, visit http://www.npr.org/.

ROBERT SIEGEL, HOST:

It's been a year since the U.S. government admitted that hackers had broken into a computer system that stores some of the most sensitive government data - the names, Social Security numbers, addresses and other information about millions of people who hold government security clearances or had applied for them.

In this week's All Tech Considered, we look at what's happened to the government and the victims since.

(SOUNDBITE OF MUSIC)

SIEGEL: The agency responsible for keeping those records - the Office of Personnel Management - has made changes. But as NPR's Brian Naylor reports, things have been tough for some of the federal workers affected by the breach.

BRIAN NAYLOR, BYLINE: The news headlines last June were pretty dramatic.

(SOUNDBITE OF ARCHIVED RECORDING)

UNIDENTIFIED REPORTER #1: The breach into the Office of Personnel Management.

(SOUNDBITE OF ARCHIVED RECORDING)

UNIDENTIFIED REPORTER #2: A massive...

(SOUNDBITE OF ARCHIVED RECORDING)

UNIDENTIFIED REPORTER #3: Massive...

(SOUNDBITE OF ARCHIVED RECORDING)

LESTER HOLT: Massive hacking attack that compromised data on over 21 million Americans.

(SOUNDBITE OF ARCHIVED RECORDING)

UNIDENTIFIED REPORTER #4: Really remarkable in its size and its scope.

(SOUNDBITE OF ARCHIVED RECORDING)

UNIDENTIFIED REPORTER #5: Worse than they previously thought.

(SOUNDBITE OF ARCHIVED RECORDING)

UNIDENTIFIED REPORTER #6: The experts tell us this is just...

NAYLOR: That was then. Now...

BETH COBERT: There's a whole series of things around technology, around people and around process that are different today than a year ago.

NAYLOR: That's Beth Cobert. She's the acting director of OPM, and she's one of the changes at the agency replacing Katherine Archuleta who resigned under pressure from Congress last July. Cobert says cybersecurity has been amped up under her watch.

COBERT: We have two factor authentication to access the network. That means you need a card as well as a password to log onto your computer. We can see all the devices that are connected to a network at any time. When we see data leaving the network that we think is suspicious, we can catch it. We've got tools that detect malware, so there's a whole series of multilayer defense as we put into our systems.

NAYLOR: Cobert says government workers can't even check their Gmail accounts from their office computers any longer. The Department of Defense and Homeland Security have been helping OPM design a new more secure software system to allow the agency to conduct government background checks rather than contracting them out.

Republican Congressman Will Hurd of Texas is a former CIA agent whose personnel records were among those hacked. He says OPM is moving in the right direction under Cobert. But Hurd says there are still lots of vulnerabilities across government.

WILL HURD: Whether it's Department of Education that has tons of information on anyone who's going to school to Social Security Administration that has information on every single American, I've seen that they're not even adopting some of the best practices when it comes to good digital system hygiene.

NAYLOR: It took OPM some six months to formally notify the millions who had their records breached. They're eligible for three years of credit monitoring and identity theft protection services. Hurd says he personally hasn't noticed any ill effects from the stolen records.

Ryan Lozar thinks he has. The former federal court clerk says he froze his bank accounts after someone spent thousands at Best Buy in his name and opened a PayPal account.

RYAN LOZAR: It turns into this endless explaining - and really, like, they're treating me as someone who has been rejected as having bad credit even though it's a freeze. And it's just exhausting and frustrating.

NAYLOR: Lozar is a plaintiff in a class-action suit filed against the government by the American Federation of Government employees. Among other things, it seeks monetary damages and lifetime credit monitoring and identity theft protection for the affected people. A hearing is expected this fall. Government officials have pointed to China as being behind the breach. Acting OPM director Cobert acknowledges that whoever it is, the U.S. government still has work to do.

COBERT: There's a whole set of adversaries out in the world who keep looking for bad things, and we've got to fundamentally modernize our systems to build in security by design.

NAYLOR: But, she says, the government has made significant strides in the last 12 months when it comes to protecting its data. Brian Naylor, NPR News, Washington. Transcript provided by NPR, Copyright NPR.