Concerns that up to 14 million records may have been exposed in the recently disclosed data breach at the U.S. Office (OPM) Personnel Management were compounded by reports Thursday that a lot of the data in those records may have been unencrypted.
In a letter to OPM director Katherine Archuleta, the American Federation of Government Employees (AFGE) lamented the sketchy information that has been released on the breach so far and insisted the scope was much broader than let on. AFGE national president David Cox said he has reason to believe that the hackers behind the OPM intrusion accessed personnel records on every single federal employee, federal retiree, and up to one million former federal workers.
Based on the information that OPM has released, the hackers appear to have targeted the agency’s Central Personnel Data File database, Cox said. That would mean the hackers have every employee’s Social Security Number, military records, veteran's status information, address, birth date, pay, life insurance, age, race, and other information.
“Worst, we believe Social Security numbers were not encrypted, a cybersecurity failure that is absolutely indefensible and outrageous,” Cox wrote.
The Associated Press, quoting unnamed government sources, said the records in question date back to 1980 and belong predominantly to former federal employees.
The OPM itself has not disclosed what systems were affected and said it believes the intrusion occurred in December 2014. The agency has also been somewhat vague on the specifics of how the breach was discovered, merely noting that it became aware of the intrusion when implementing new security measures.
However, ABC News reported that unnamed sources had told it the initial intrusion had actually happened more than a year ago and remained undetected since then. The hackers then worked their way through four different segments of OPM systems, ABC said, describing what appears to have been lateral movement by the attackers across the network. And according to the Wall Street Journal, the breach was actually discovered in mid-April during a product demonstration by security vendor CyTech.
CyTech did not immediately respond to a Dark Reading request for comment.
The breach, especially given its widening scope, is sure to focus attention on the use—or lack of use—of encryption to protect sensitive data by government agencies.
According to the OPM, it manages sensitive data on more than 30 million people. The prospect that all, or a lot of the data is unencrypted has already sparked outrage from AFGE and it's almost certain that the agency will get a lot more grief on the issue in coming months.
“Let’s be clear here, the excuses the government uses to not have encrypted all of that sensitive data are wholly unacceptable," said Richard Blech, CEO and co-founder of Secure Channels in a statement. “There is no viable reason for sensitive government data to be left in a database that was cleartext and unencrypted, unless the goal was to have it stolen.”
What’s not immediately clear is how useful encryption would have been in this situation, especially if the hackers accessed the Central Personnel File database using valid login credentials. In that case, the hackers would likely have had the same access to the data and the encryption keys as the legitimate owner of the account.
And also, while encryption might be a best practice, it's not entirely surprising that OPM did not encrypt it, adds Rich Stiennon, chief research analyst at IT-Harvest.
“Encryption is the last line of defense for sensitive data at-rest,” Stiennon says. “But it is still hard for many organizations to pull off, because with encryption comes the headache of key management. Encrypted data, especially in an active database such as that kept by OPM, has to be decrypted on-the-fly when it is accessed,” he said.
An attacker can either attempt to steal the encryption keys along with the database, or simply gain authorized access and suck the data out, he said. “Encryption alone is not enough against a determined hacker. The recent IRS hack is an example of how just using a web front end can be manipulated into giving access to decrypted data.”