The Green Sheet Online Edition
July 13, 2015 • Issue 15:07:01
Strong response to massive
breach of federal workers' PII
Editor's Note: For additional news stories, please see Breaking Industry News on our home page, www.greensheet.com.
The United States Office of Personnel Management confirmed on June 4, 2015, that a cybersecurity attack may have impacted as many as 4 million current and former government workers. This new data security breach follows the recent intrusion of a consumer-facing web portal hosted by the Internal Revenue Service disclosed May 26 and the breach of an unclassified network at The White House reported in October 2014.
The recent OPM incident occurred during a window of vulnerability before the agency's network was reinforced with new security tools and capabilities, authorities said. Recently installed threat detection tools and capabilities led to the discovery in April 2015 of an intrusion that had been operating undetected for an unknown period.
"OPM has partnered with the U.S. Department of Homeland Security's Computer Emergency Readiness Team (US-CERT) and the Federal Bureau of Investigation (FBI) to determine the full impact to federal personnel," the OPM stated, reiterating its continuous efforts to protect sensitive data by improving security best practices and information technology (IT) infrastructure monitoring.
In the wake of the data breach, the OPM beefed up network security alerts and restricted access to its networks by remote IT personnel. IT administrators are also reviewing ports and connections and deploying anti-malware across the enterprise to further protect the network.
Another remediation drill
OPM Director Katherine Archuleta said the OPM will honor its responsibility to secure the information stored in its systems and take additional measures to secure its network. "Protecting our federal employee data from malicious cyber incidents is of the highest priority at OPM," she said.
The OPM stated its plans to notify the approximately 4 million individuals whose personally identifiable information (PII) may have been compromised. It vowed to continue notifying personnel throughout the investigation should additional PII exposures occur. The OPM will provide 18 months of free credit reporting, credit monitoring, and up to $1 million dollars in identity theft and recovery insurance services to all potentially affected individuals.
The OPM advised all personnel to "monitor financial account statements and immediately report any suspicious or unusual activity to financial institutions." Employees are encouraged to make use of public resources such as AnnualCreditReport.com and the Federal Trade Commission's identity theft website, www.identitytheft.gov. They can also contact TransUnion LLC to request that a fraud alert be placed on their files, which instructs prospective creditors to contact consumers before opening or activating new accounts.
The agency also advised federal personnel and private citizens to be suspicious of unsolicited phone and email communications from unknown individuals claiming to represent legitimate organizations. It also suggested the following resources for further guidance: Protecting Your Privacy, www.us-cert.gov/ncas/tips/ST04-013; the Anti-Phishing Working Group www.antiphishing.org; Understanding Firewalls, www.us-cert.gov/ncas/tips/ST04-004; Understanding Anti-Virus Software, www.us-cert.gov/ncas/tips/ST04-005; Reducing Spam, www.us-cert.gov/ncas/tips/ST04-007); and the FBI's Internet Crime Complaint Center at www.ic3.gov.
Immunize against future attacks
At the June 2015 Exponential Finance conference, Marc Goodman, global security advisor and author of Future Crimes: Everything is Connected, Everyone is Vulnerable, and What We Can Do About It, observed similarities between cyber security and public health best practices and recommended that the security community borrow a page from the Center for Disease Control playbook.
"I'd like to see the security community adopt a more epidemiological approach to cyber security, by immunizing the public against widespread computer viruses and cyber attacks," he said, referring to the scientific study of cause and effect of infectious diseases used to create public policy by identifying risks and establishing guidelines for preventive healthcare.
Goodman cited a 1999 study by the CDC that identified automotive safety as the most significant accomplishment of the 20th century, an achievement tied to the publication in 1965 of Ralph Nader's book, Unsafe at Any Speed. About the book, Goodman said, "3.5 thousand people were killed per day worldwide until that book was published, which led to seatbelts, air bags and a range of other improved industry standards."
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.