With more than a bit of egg on their face, the Office of Personnel Management (OPM) said in announcing the results of a forensic investigation of its recent data breach problems that 21.5 million people had their personal information compromised and stolen. This far exceeds the initial assessment that roughly 4.2 million records of government employees were hit. In addition, what was taken was also more detailed than first thought.

What we now know is that it is likely everyone given a government background check for the last 15 years probably had their personal information pilfered. OPM said hackers extracted such things as addresses, health and financial history, and other private details including fingerprint records, from 19.7 million people who had been subjected to a government background check, and data on 1.8 million others, including their spouses and friends.

The report also noted another alarming fact. This was not one but two incidents of cyberattacks. The stealing of the massive amount of sensitive information was separate from, but related to, the breach that made headlines revealed last month that compromised the personnel data of 4.2 million federal employees, OPM spokespeople said.

As to who is responsible, OPM says that both attacks are believed to have originated in China, however, the Obama administration is being careful about finger-pointing a specific bad actor, despite indications of supporting evidence.

That is what we know, and what has been widely disseminated. 

It appears we did not learn much from the Snowden revelations

And here is what you have not read yet about the OPM incidents. 

As those who follow my postings on data breaches are aware, industry security experts like to pass along to me their thoughts on all of the big data breaches and other types of cyberattacks. One that really caught my attention, and should yours as well is something that has yet to make the headlines. 

Richard Blech, CEO, Secure Channels, commented as follows:

"Let’s deconstruct what actually transpired with OPM. . .The credentials were not stolen and it has nothing to do with a social engineering attack. What you will not hear in the press is that OPM contracted out some database administrative tasks 3 years ago to "Company X" which then in turn sub-contracted the work out to "Company Y". Company Y then hired two contractors, one in Argentina and the other in the Peoples Republic of China to perform the work. OPM gave them authorized approved access (root) to the database to perform their job functions. In other words, they had permission and FULL access to the database and its data. In this case, it's no different than an authorized user performing select statements against the database to pull data as part of their job function. They have to be able to read the data to work.

"The failure in this case is how did two foreign nationals get approved administrative access without a background check and being cleared. Encryption would not have helped in this case. In summation this was an unconscionable train wreck. OPM ignored systemically every aspect of Best Practices, they could not have utilized ‘worst practices’ if that had been the goal."

You read correctly, as with Edward Snowden, it appears that OPM allowed problematic people administrative access without a background check or clearance the combination to the vault. Assuming the trail outlined by Blech is accurate, it really is time for an attic to basement assessment by not just government agencies but everyone as to who has access to what, when, where, why and how. This goes not just for subcontractors but anyone given broad access to sensitive data of any type. 

It raises the question in regards to U.S. government agencies, since this goes to the heart of national security, as to how many of these types of incidents it will take before much better practices are instituted. Authentication and validation of the human part of security obviously needs examination and re-thinking along with the obvious needs of having better detection, prevention and remediation of malicious activities.

Finally, an observation by Jonathan Sander, Strategy & Research Officer with STEALTHbits struck a chord with me and is certainly food for thought: 

“What’s scary about the OPM breach is not the numbers, but the fact that what’s been stolen is what everyone is using to secure the rest of their lives. When people are recovering passwords they’ve forgotten, they are asked for personal information only they know. Things like obscure items from their credit history or family details. That data is has been stolen from OPM.

People who really want strict security may lock things down with their biometrics. Fingerprints are the most common biometric and over a million of those were stolen from OPM, too. Bad guys can spoof a phone where you may have a pass code or one time password texted if they know your numbers. The OPM bad guys know those numbers. Everyone in the security industry knows we need new ways to lock down our digital lives, but those warnings go unheeded. Now that the bad guys have everything they need to completely hijack the digital lives of some people of direct interest to the government, maybe someone will start paying attention.”

Sanders and Blech are spot on, attention must be paid indeed and not just in word. How the government will respond remains to be seen.  However, as noted, this is not just about the government. This week’s NYSE, UAL and Wall Street Journal (WSJ) computer and communications “glitches” are reminders of the consequences of living in a connected world and that human error along with malice can create havoc when best practices for securing data at rest and on the move are ignored or deemed too expensive. 

Polls show that a majority of people in the U.S. already do not trust government, financial and healthcare institutions to keep their personal information secure. The real danger is how near we are to the tipping point of destroyed trust in digital commerce. It is something that we hopefully will not find out.

It is also why the current debate about how much capability the “good guys”, e.g., intelligence agencies, can have to counteract all of the activities of the long list of bad actors while balancing the privacy concerns of citizens and corporations is one of the most important issues policy-makers need to address. And, that is something we need to not just be reading about; we also need to become part of the conversation.