An official with cybersecurity company Symantec speculates that up to 275 million people had information included in the Office of Personnel Management files breached by hackers.
“I think [OPM] is the most underreported breach there is,” said Robert Myles, Symantec’s national public safety practice manager, at the Association of Public-Safety Communications Officials conference in Washington on Wednesday.
“I have an SF-86 in that system,” Myles said. “There’s 14 people on my form. If you construct the numbers out of that, it’s probably somewhere in the neighborhood of 200 to 275 million people affected.”
Hackers obtained 21.5 million SF-86 forms submitted by applicants seeking security clearances with the federal government. The 127-page form asks, among other things, for the names of friends, relatives and associates who have known applicants and can attest to aspects of their lives. It also asks more sensitive questions about applicants’ personal lives and moral shortcomings.
The Institute for Critical Infrastructure Technology published a report this week assessing the impact of the breach, noting that cyberforensics have traced it to a state-sponsored Chinese group called “Deep Panda.” The group is responsible for hacking both commercial and government networks for Chinese intelligence.
The authors state that Deep Panda’s techniques are often no more sophisticated than obtaining access to the credentials of a careless employee within an organization, and that it was probably in that manner that the OPM breach originated. “The OPM breach almost definitely began with a set of compromised user credentials,” they write, saying “the majority of breaches begin with a set of compromised user credentials.”
The report suggested that potential victims change their passwords every three months as a precaution, which may be of little solace to those fearing the loss of their secrets to foreign intelligence agencies. The federal government has promised to set up a free call center, credit monitoring, and identity theft services, but the timetable on those services is uncertain. The General Services Administration is expected to award $500 million in contracts to cybersecurity firms to help with those commitments on Aug. 21.
Meanwhile, House Oversight Chairman Jason Chaffetz, R-Utah, has sent a letter to the United States Computer Emergency Readiness Team, or US-CERT, one day after sending a letter demanding that OPM turn over a list of documents related to the breach.
The Aug. 19 letter to US-CERT asks the agency to inform his committee of the specific dates that OPM has contacted their office, “malicious code or malicious logic” that contributed to the hacking of OPM’s systems, and what recommendations US-CERT has made to OPM to improve the department’s cybersecurity.
As an arm of the Department of Homeland Security, US-CERT is responsible for the cyberdefense of agencies across the federal government. Lawmakers are concerned that OPM officials have been too lackadaisical in working to engage the assistance of other agencies responsible for protecting them.
In a letter addressed to OPM Acting Director Beth Cobert a day earlier, Chaffetz asked for a copy of that agency’s security practices and protocols, whether they had been accessed by hackers this year, and in the event they were, whether OPM had informed US-CERT or other federal agencies that they had been compromised.
Lawmakers are questioning whether OPM officials have done enough to secure their agency’s systems, and they are looking for evidence that the OPM’s Chief Intelligence Officer Donna Seymour has failed to perform the basic functions of her job. In an Aug. 6 letter, Chaffetz joined 17 additional lawmakers in calling for Seymour’s removal, stating that she had “already failed the American people with her inability to secure OPM’s networks.”
