What’s Missing in the Conversation About the OPM Breach?

September 08, 2016//Ellen Neveux

Last Updated: November 18, 2020

Poor vendor access management is the downplayed cause of the OPM breach
A little over a year ago, the U.S. government fell victim to the most extensive data breach in its history when hackers pinched the records of more than 20 million government personnel. These hackers accessed files in the databases of the United States Office of Personnel Management (OPM) by using credentials granted to a third-party vendor, KeyPoint Government Solutions, a company used by federal agencies to conduct background checks.

This cyber-intrusion has mostly flown under the radar of the average American. More so, the breach can be traced back to one contractor’s credentials, and the proper regulations weren’t in place that could have prevented such a catastrophic flub. Every aspect of this intrusion has been underreported. So, why aren’t we making a bigger deal out of the issue of poor vendor access management? And who’s responsible for ensuring sensible cybersecurity guidelines are followed?

First, let’s play catchup with the OPM breach since word first broke about it in June 2015.

  • The OPM first caught the breach in April 2014, but it’s believed to have happened as early as March 2014.
  • The Department of Homeland Security (DHS) reports that hackers had full access to the OPM network for 10 months before Einstein, an intrusion-detection program used by the DHS, identified the malware signatures.
  • Stolen information includes Social Security numbers, names, dates, and places of birth, addresses, and possibly detailed security-clearance-related background information. This theft includes data from those who went through background checks, even if those people aren’t current or former government employees.
  • Officials believe Chinese hackers associated with that nation’s government committed the breach.
  • Katherine Archuleta, the director of OPM at the time of the data breach, resigned in response to the breach and backlash.

Before exiting her position as OPM director, Archuleta faced the Senate Appropriations Subcommittee on Financial Services and General Government. The then-director came to the defense of KeyPoint systems, who employed the contractor whose credentials the hackers used to access the massive amount of sensitive data.

“While the adversary leveraged a compromised KeyPoint user credential to gain access to OPM’s network, we don’t have any evidence that would suggest KeyPoint as a company was responsible or directly involved in the intrusion,” Archuleta said.

Breach compounded due to improper encryption of data
While the breach was compounded due to improper encryption of sensitive data, outdated security systems, and limited external intrusion monitoring, there’s no denying that poor third-party access management allowed this devastating breach in federal data to occur. During the same hearing, Archuleta faced, DHS Assistant Secretary for Cybersecurity and Communications Andy Ozment explained that no amount of other security measures can keep hackers out if they have access to a user’s credentials.

“If an adversary has the credentials of a user on the network, then they can access data even if it’s encrypted, just as the users on the network have to access data, and that did occur in this case,” Ozment said. “So encryption in this instance would not have protected this data.”

So, KeyPoint or a representative of KeyPoint didn’t hack into the OPM system or purposefully cause the breach, but poor credential management caused the hack. Or at least, the access to the credentials made the hack profoundly easier than without it. In the aftermath, OPM, DHS, KeyPoint, and whoever that poor contractor is that most likely found himself or herself looking for a new job have all learned their lessons. OPM has rewritten and increased its IT security procedures, and agencies such as the Office of the Inspector General have begun running internal audits to discover holes in the system that could use plugging up. What have the rest of us learned from this digital invasion?

Here are a few questions to ask yourself when considering your company’s level of cybersecurity and third-party management:

  • Are your data security systems up to date?
  • Have you implemented two-factor authentication?
  • What level of privileges do you give external users?

Access must come with activity controls and audit
Remember, hackers only needed credentials of one person to steal identifying information of more than 20 million people. If you have one key that can open one great big door, how you monitor its use is critically important. Though the bigger lesson is that powerful credentials should never be handed out to external users, and any granted access must come with serious activity controls and audit.

Just make sure you do more than keep the keys to the kingdom under the proverbial welcome mat for anyone to find.

About SecureLink

Our sole focus is secure third-party remote access. For highly regulated enterprise organizations, SecureLink Enterprise has pioneered a secure remote access platform. SecureLink for enterprise allows an organization to identify, control, and audit third-party vendors. For vendors, SecureLink is the gold standard remote access support platform because it is easy, efficient, and ensures compliance and reduces liability when supporting customers.

Subscribe to the SecureLink Blog.
close close