Rebecca Anderson
CFRS 663
Research Paper #1
9/22/2015
The United States Office of Personnel Management (OPM) announced on June 4th, 2015 that hackers had intruded into its network to exfiltrate the personnel records of 4.2 million current and former government employees (Bisson). On June 23rd, FBI Director James Corney confirmed the OPM breach was much worse than originally thought, in total 21.5 million people were compromised. Information Security experts warn that this breach could threaten the United States’ national security for generations. It is important to study how the breach occurred to prevent similar ones in the future.
The United States Office of Personnel Management was and remains an extremely attractive target for hackers, especially those sponsored by foreign governments. One of the prime responsibilities of OPM is managing security clearances. While OPM may not guard information related to nuclear launch codes or NASA’s latest breakthroughs, OPM has the personally identifiable information of the employees who can access that information. Now, the hackers can have the names, birth dates, home addresses, and Social Security numbers of those Top Secret cleared employees and could potentially blackmail them or threaten their families (Castelluccio).
The first attempts to breach OPM’s network were recorded in March 2014 (Bisson). They were thwarted by intrusion detection systems on the network. No personally identifiable information was thought to be
Towards the end of 2013, OPM began to upgrade their cybersecurity polices. They added new tools and capabilities to various networks throughout their agency. The results of the new security upgrades, OPM was able to identify two different cybersecurity incidents on its systems. May of 2015 OPM discovered that their system has been under attack. Information such as background investigation records of current, former, and prospective Federal employees and contractors were stolen. After an extensive forensics investigation, it was determined that the types of information in these records include identification information such as Social Security Numbers, educational history, employment history, information about immediate family and other personal
Technology has facilitated the use of transiting data. With that in mind, sensitive information must be kept within close safe guards. Failure to protect vital information may facilitate its retrieval by criminals or those with malicious intents to use that data unethically. Individuals with access to material non-public information may sell that information to an outside party for profit. Likewise, these individuals may harvest this data within their perimeters to use as ammunition to defraud or blackmail an organization. Employers need to be wary of the threat of insiders exposing sensitive information to outside parties. “An insider is anyone who has intimate knowledge of internal operations and processes, or trusted access to
The government and major companies have frequently leaked and misused the public’s information. For example, in Ted Koppel’s 2005 article on “Take My Privacy, Please!”, he mentions how Bank of America lost personal information on about 1.2 million federal government employees, including some senators. LexisNexis unintentionally gave outsiders access to personal files on over 310,000 people. Time Warner
In June of 2015, the Office of Personnel Management found out that it was being hacked. The hack had been going on for several months before authorities realized it. It was one of the largest security breaches in United States history.
While employed as a Human Resource Assistant, he is responsible for safeguarding Personal Identifiable Information (PII), and entering data or information in the electronic Personnel Files (e-OPF) and Defense Civilian Personnel System (DCPDS). Subsequently, he has not had any documented instances of failure to secure PII or putting such information at risk. Most importantly, he understands that it’s his duty to protect confidential information and ensure that it’s not compromised.
This case study, written in 2009 is not the only case where a major data breach has occurred within organizations. In the late 2011 Sony’s PlayStation Network (PSN) was breached impacting up to 77 million user’s accounts including data on names, address and possibly credit card details. In late 2013 Target had a cyber-attack that compromised a large quantity of its data and had 110 million accounts compromised. Finally in September 2014 Apple had their iCloud server breached by hacking that compromised all the users of the online server. These occurrences still have some unanswered questions and several experts have yet to decipher the actual reason as to why the security breach occurred.
The Goodwill breach is a sore point for many security researchers as the 3rd party POS vendor has not yet revealed how the attackers compromised their environment. Unfortunately, this is the case in many data breaches over the past several years. Rather than sharing details with the community, organizations instead conceal critical details of the breaches whether out of embarrassment or fear of brand damage. There are also some legal reasons to consider such as protecting customer data and confidentiality of ongoing investigations by law enforcement.
On July 2015 the Obama administration revealed that a significant cyber attack affected government computer systems. The Obama administration admitted that more than 20 million government workers were affected by the cyber attack. During the cyber attack hackers were able to gain access to personal information that included Social Security numbers and fingerprints. Besides gaining access to Social Security numbers and fingerprints the hackers were also able to steal home addresses, financial history, and other sensitive information. This cyber attack alone affected 19 million government workers and over 1 million spouses. The administration indicated that the cyber attack was separate but related to another cyber attack that
Network intrusion may be a difficult task to complete with advances in network security, but with evolving technology and the availability of information on the Internet, network intrusion prevention may be the harder task. It was mentioned above that one must get to know his enemy before the attack; the same can be said if the roles are switched and one is on the defense. To obtain and maintain network security, motives for network intrusion must be analyzed. Take for example the attack that was conducted on the Office of Personnel Management which acts as the United States Government 's Human Resources department. On June 4th, 2015, the Office of Personnel Management disclosed a statement saying “Personnel data, including personally
A management factor that contributed to these problems was from the work of highly skilled professionals. When employees don’t take the problem seriously and being alert for hacking incidents and other network vulnerabilities, cyberattacks go unnoticed until its too late. In some cases, people may override them and get access into the malware to enter systems just like OPM. The organizations whether they’re public or private continue to not plan for security before building any computer systems that immune cyber-attacks. The OPM had been warned multiple times of security failures and vulnerabilities. The OPM has been reported for persistent deficiencies in its information system security program, incomplete security authorization, weak testing controls, and inaccurate plans of action. A technology factor contributed to this problem is tracing the identities of attackers through cyberspace. Security experts believe that the breach problem involved the OPM’s failure to prevent remote break-ins (Rice, 2015). They fail to keep the system secure highly so that users cannot easily hack through the
Confidentiality must be met in the storage, processing, and transmission of data in an organization. For example, we are going to look at a major recent data breach. On March 8, 2017, the US department of homeland security sent Equifax and notice to patch a vulnerability in versions of the Apache Struts software. On March 9, Equifax dispersed the information to applicable personnel. Although told to apply the patch, Equifax security team did not find
There are about “700 current or former employees had information including their names, Social Security numbers and wage data compromised in the attack” (Peterson).
On an average of 2% a year, personal records are exposed from over 700 public breaches over all areas of the departmentalized sectors. Global cost per every lost or stolen record are on the average of over $100 containing secret and touchy information. There were 35% more security incidents detected within the last
The analysis of 2,260 breaches and more than 100,000 incidents at 67 organizations in 82 countries shows that organizations are still failing to address basic issues and well-known attack methods. The (DBIR, 2016) shows, for example, that nearly two-thirds of confirmed data breaches involved using weak, default or stolen passwords. Also shows that most attacks exploit known vulnerabilities that organizations have never patched, despite patches being available for months – or even years – with the top 10 known vulnerabilities accounting for 85% of successful exploit “Organizations should be investing in training to help employees know what they should and shouldn’t be doing, and
Once this breach had been announced, it was considered the largest breach in the history of the internet. Furthermore, the breach had only been discovered by law enforcement officials once it had been provided to them by an anonymous third party hacker. While trying to track down the source of seller’s data they had figured out that the seller was offering 1 billion yahoo user accounts for a price of