This article discusses the breach of OPM (Federal Office of Personal Management), this breach leaked information about roughly 22 million current and former employees became public in mid-2015. It took close to another 15 months for Congress to complete a report on it. Hackers, said to be from China, were inside the OPM system starting in 2012, but were not detected until March 20, 2014. A second group, who worked as a third-party contractor was also able to get access to OPM’s system, and it was not discovered until May 2015. I was employed with the federal government in May 2014, so there was a chance that my information was apart of this 22 million names that were sent out. I received several e-mails and letters in the mail informing me about the breach. Below is a list of what the inspector general found about the security in place at OPM.
An inspector general’s report from November 2014 was blunt about a lack of basic security measures including:
- A lack of encryption
- No two-factor authentication for workers remotely accessing the system
- No inventory of servers and databases
- Lack of awareness of all the systems connected to its networks
Article Link:
This is why it is extremely important to have some sort of security control measures in place. Even the most basic will include requirements for 2 factor authentication or knowing what systems are connected to the networks. It always seems like Government entities have the worse security measures in place.
I think its a very bad approach by a government agency in maintaining its IT infrastructure.
The IT systems were like full of vulnerabilities and the officials were waiting for such data breach event to take place in-order to put everything on track .
The common items mentioned in it are like some of the key in maintaining IT security in an organization and even small business now a days are protecting themselves from these factors
It took them 15 months to create the report on this. I wonder how long it will take them to remediate all the security findings. The other day a colleague was talking about how the OPM breach was much more than government employee information. I can see now how the SF-86 form could also provide personal and confidential information of employee’s family members. The SF-86 also contains contains information on financial history, investments, arrest records, medical problems, any drug or alcohol problems and other material that could be used to blackmail an employee.
The thing that bothers me most in this case is the lack of accountability. Any publicly held organization would have required much stronger action against the leadership team.