Future Tense

Government Discovered Employee Data Breach While It Was Trying to Upgrade Security

Office of Personnel Management headquarters.

Photo by Mark Wilson/Getty Images

On Thursday night government investigators disclosed a massive data breach estimated to affect 4 million current and former federal employees. The Office of Personnel Management and the Department of Interior were impacted, plus most other executive branch agencies. The situation does not seem to affect the legislative and judicial branches or uniformed military personnel.

Investigators suspect that the hack, which took place in December, was perpetrated by the Chinese government, which was apparently involved in a smaller attack on OPM in July. The Washington Post reports that security firm iSight Partners has found evidence that the hacking gang responsible for the Anthem hack (disclosed in February) is the same one behind this attack.

“The intruders find their way in and then they want to lie in wait for awhile. They want to root around and find out where all the critical information is, and the game is to be undetected for as long as possible,” said Jonathan Klein, the president of security solution firm MicroStrategy. “The breaches are becoming more and more sophisticated. The scale is sort of breathtaking.”

CNN reports that OPM discovered the breach while it was working on upgrading its cybersecurity defenses. When the agency found evidence of a possible intrusion, it deployed a new detection system called EINSTEIN to gather information about what had happened on the network. A senior Department of Homeland Security official told the Post, on the condition of anonymity, that the “good news” about the whole situation is the effectiveness of EINSTEIN. “These things are going to keep happening, and we’re going to see more and more because our detection techniques are improving,” the official said.

Increasingly, breaches are discovered while an organizations is trying to improve its security posture. For example, the same thing happened with the CareFirst Insurance hack (disclosed last month).

It’s easy to see how “we found it while we were making improvements” could become the go-to damage-control narrative for companies that are hacked. At least then they were doing something. But it also makes sense for so many companies to legitimately discover breaches this way.

“More and more people are watching their networks, more and more networks are being upgraded with equipment, and we’re going to see more and more breaches as a result of it,” said Jeffrey Stutzman, the CEO of threat intelligence analysis firm Wapack Labs. “OPM is one of the sweetest targets out there. … This is not surprising to me at all. I’m angered, but the truth is I’m glad they caught it.”

Officials say that the hackers had access to employee data like project assignments, social security numbers, and performance evaluations. Unlike the last OPM hack, they did not have access to background checks and security clearance applications.

With so many critical breaches all the time, the reality check is what’s important. “There’s not a company or an organization or a computer in this country that isn’t already broken into,” Stutzman says.