Governance & Risk Management , Incident & Breach Response , Managed Detection & Response (MDR)
OPM Suspends Background Check SystemUnion Slams Agency with Class-Action Data Breach Lawsuit
In the wake of the massive data breach that may have resulted in the exposure of personal information for tens of millions of individuals, the U.S. Office of Personnel Management announced June 29 that it has temporarily suspended use of an online background investigation system after discovering a vulnerability. The agency, however, says it does not believe that the vulnerability was exploited by attackers.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
Meanwhile, a breach-related lawsuit filed on behalf of federal workers alleges privacy law violations and negligence by OPM officials in their approach to information security as well as their response to what many consider to be one of the worst data breaches in U.S. government history.
The OPM has taken offline the Web-based Electronic Questionnaires for Investigations Processing, or e-QIP, system that enabled individuals to complete and submit background investigation forms online. Such forms include the U.S. government's Questionnaire for National Security Positions, known as SF-86, which investigators believe are among the massive cache of information stolen by OPM's attackers (see OPM Breach Victims: Tens of Millions?).
Exclusive Webinar: OPM Breach Aftermath: How Your Agency Can Improve on Breach Prevention Programs
"The security of OPM's networks remains my top priority as we continue the work outlined in my IT strategic plan, including the continuing implementation of modern security controls," OPM Director Katherine Archuleta said when announcing that e-QIP was taken offline. "This proactive, temporary suspension of the e-QIP system will ensure our network is as secure as possible for the sensitive data with which OPM is entrusted."
No New Attack Detected
OPM says in a statement that taking e-QIP offline was "not the direct result of malicious activity on this network." In fact, the office said it does not believe the recently discovered vulnerability in the system has been exploited by attackers. The agency says it expects e-QIP to be offline for up to six weeks, and it acknowledges that the move will have an impact on anyone who needs to initiate a background check.
OPM says it handles more than 90 percent of all U.S. background investigations, conducting more than 2 million per year.
"OPM recognizes and regrets the impact on both users and agencies and is committed to resuming this service as soon as it is safe to do so," the agency says. "In the interim, OPM remains committed to working with its interagency partners on alternative approaches to address agencies' requirements."
Any alternative approach would likely require applicants to submit paper-based background-investigation forms. The SF-86 form stretches to 127 pages.
OPM's e-QIP suspension is notable because Archuleta told the House Oversight Committee June 16 that agency systems with known vulnerabilities - highlighted by the agency's inspector general in recent years - were not shut down because doing so would have disrupted the U.S. government's ability to ensure that retirees received their benefits or that federal employees and contractors got paid (see Lawmakers Lambaste OPM Chief Over Hack).
Some experts, including John R. Schindler, a professor of national security affairs at the U.S. Naval War College and former National Security Agency officer, have asked why OPM didn't take e-QIP offline sooner.
.@thezachnoble what took them so damn long?!?ï¿½ John Schindler (@20committee) June 29, 2015
Investigation So Far
A breach of OPM records involving about 4.2 million current and former federal employees was first discovered in April (see 4 Million Federal Workers' PII Exposed). The House Oversight Committee on June 24 learned from Archuletta, OPM CIO Donna Seymour and US-CERT Director Ann Barron-DiCamillo, among others, that government investigators found that attackers appeared to have used stolen OPM access credentials to access OPM systems and steal data on federal workers. These credentials were apparently stolen from an employee of KeyPoint Government Solutions, a government contractor that provides background check services for OPM, and which suffered a data breach in December.
The reported severity of the breach has continued to increase. By early June, investigators discovered the potential theft of SF-86 forms and other data covering what could be a 30-year period (see Analysis: Why the OPM Breach Is So Bad). Government investigators also believe, according to some reports, that at least 18 million current and former federal employees' and contractors' personal and security files were compromised. Those security files include a number of personal details - marital, sexual, health-related and otherwise - as well as details of an unknown number of applicants' family members, friends and acquaintances.
Since the White House first publicly disclosed part of the OPM breach June 4, the American Federation of Government Employees union, which represents 670,000 employees, and the National Federation of Federal Employees, which represents 110,000 employees, have voiced frustration over the scarce details being offered to affected workers, and the severity of the breach seeming to increase with every new government pronouncement.
Those criticisms came to a head June 29, when the AFGE filed a lawsuit against OPM, Archuletta, Seymour, as well as KeyPoint, that seeks class-action status, as well as damages for victims. "Since at least 2007, the OPM has been on notice of significant deficiencies in its cyber security protocol," according to the lawsuit. "Despite the fact that the OPM handles massive amounts of federal applicants' private, sensitive, and confidential information, the OPM failed to take steps to remedy those deficiencies."
The lawsuit alleges negligence, as well as violations of the U.S. Privacy Act of 1974 and the Administrative Procedures Act - including FISMA - and seeks to ensure that KeyPoint "implement specific additional, prudent industry practices" relating to information security. The lawsuit also alleges that federal workers were caused harm by "KeyPoint's failure to exercise reasonable care and deploy reasonable cybersecurity measures," thus putting workers' personally identifiable information at risk and leaving them exposed to identity theft, healthcare fraud and medical fraud (see Why So Many Data Breach Lawsuits Fail).
"AFGE will not sit idly by while OPM fails to comply with the most basic requests for information or provide an adequate response. Even after this historic security breach, OPM has continued to use poor data security practices and inferior private-sector strategies to solve its security woes," AFGE says in a statement.
"Despite putting government employees and their loved ones at significant personal and financial risk, OPM has failed to reveal the full scope of who was specifically impacted by the data breach and the extent of the information taken," the statement adds. "Additionally, the credit monitoring services that OPM provided have not only fallen short, but actually created more potential security risks for employees."