In an article in the New York Times, reporter Julie Hirschfeld Davis explains how the Obama administration revealed that 21.5 million people were swept up in the breach of the Office of Personnel Management computer systems, meaning that every person given a government background check for the last 15 years was probably affected. Protegrity CEO Suni Munshani provides his perspective as a data security expert.
WASHINGTON — The Obama administration on Thursday revealed that 21.5 million people were swept up in a colossal breach of government computer systems that was far more damaging than initially thought, resulting in the theft of a vast trove of personal information, including Social Security numbers and some fingerprints.
Every person given a government background check for the last 15 years was probably affected, the Office of Personnel Management said in announcing the results of a forensic investigation of the episode, whose existence was known but not its sweeping toll.
The agency said hackers stole “sensitive information,” including addresses, health and financial history, and other private details, from 19.7 million people who had been subjected to a government background check, as well as 1.8 million others, including their spouses and friends. The theft was separate from, but related to, a breach revealed last month that compromised the personnel data of 4.2 million federal employees, officials said.
Both attacks are believed to have originated in China, although senior administration officials on Thursday declined to pinpoint a perpetrator, except to say that they had indications that the same actor carried out the two hacks.
The breaches constitute what is apparently the largest cyberattack into the systems of the United States government, providing a frightening glimpse of the technological vulnerabilities of federal agencies that handle sensitive information. They also seemed certain to intensify debate in Washington over what the government must do to address its substantial weaknesses in cybersecurity, long the subject of dire warnings but seldom acted upon by agencies, Congress or the White House.
. . .
That attackers were able to compromise the agency using a contractor’s credentials is unacceptable, security experts say, given the wide availability of two-factor authentication tools, which have become standard practice, particularly since a cyberattack at Target nearly two years ago, when hackers managed to break into the retailer’s system using the credentials of a heating and cooling contractor.
“A second offense is more unacceptable than the first,” said Suni Munshani, the chief executive of Protegrity, a data security company. “The O.P.M. and government agencies need to get their act together and better protect the information of their employees and citizens.”
The full article can be found here.