OPM Breach: How Officials Missed a Second Hacker
US officials were too focused on purging a hacker from government’s computers after closely monitoring the hacker’s online movements for months and were about to expel him that they failed to realize that there was another hacker entirely.
This is according to a congressional report referenced in a Guardian publication which provided previously undisclosed details of missed opportunities before the break-in at the Office of Personnel Management to expose security clearances, background checks and fingerprint records.
The intrusion, which was earlier blamed on the Chinese government, compromised personal information of more than 21 million current, former and prospective federal employees. It also led to the resignation of the OPM director, Katherine Archuleta.
The report by the House committee on oversight and government reform blamed the personnel agency for failing to secure sensitive data despite warnings for years that it was vulnerable to hackers. It concluded that the hacking could have been prevented if the agency had put basic security controls in place and acted accordingly after the previous break-in March 2014 when a Department of Homeland Security team noticed suspicious streams of data leaving its network at odd hours.
After the first hack, the OPM worked with the FBI, National Security Agency and others to monitor the hacker to better understand his movements. They developed a plan to expel the hacker in May 2014 through several means including resetting administrative accounts, building new accounts for users who had been compromised and taking offline compromised systems.
But unknown to them, a second intruder posing as an employee of a federal contractor had infiltrated the system weeks before the planned expulsion. The hacker used a contractor’s credentials to log into the system, install malicious software and create a backdoor to the network. This allowed him to move unchecked through the system for months and stole sensitive security clearance background investigation files, personnel files and, ultimately, fingerprint data.
The breach was detected in April 2015.
Though the congressional report said OPM officials misled the public about the scope of the breach and also by saying the two breaches were unrelated, the agency’s acting director, Beth Cobert, said in a statement that OPM disagrees with much of the report, which she said “does not fully reflect where this agency stands today”.
Images from Shutterstock.