Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

03:20 PM
Connect Directly

OPM Breach Scope Widens, Employee Group Blasts Agency For Not Encrypting Data

Lack of encryption 'indefensible' and 'outrageous,' American Federation of Government Employees says.

Concerns that up to 14 million records may have been exposed in the recently disclosed data breach at the U.S. Office (OPM) Personnel Management were compounded by reports Thursday that a lot of the data in those records may have been unencrypted.

In a letter to OPM director Katherine Archuleta, the American Federation of Government Employees (AFGE) lamented the sketchy information that has been released on the breach so far and insisted the scope was much broader than let on. AFGE national president David Cox said he has reason to believe that the hackers behind the OPM intrusion accessed personnel records on every single federal employee, federal retiree, and up to one million former federal workers.

Based on the information that OPM has released, the hackers appear to have targeted the agency’s Central Personnel Data File database, Cox said. That would mean the hackers have every employee’s Social Security Number, military records, veteran's status information, address, birth date, pay, life insurance, age, race, and other information.

“Worst, we believe Social Security numbers were not encrypted, a cybersecurity failure that is absolutely indefensible and outrageous,” Cox wrote.

The Associated Press, quoting unnamed government sources, said the records in question date back to 1980 and belong predominantly to former federal employees.

The OPM itself has not disclosed what systems were affected and said it believes the intrusion occurred in December 2014. The agency has also been somewhat vague on the specifics of how the breach was discovered, merely noting that it became aware of the intrusion when implementing new security measures.

However, ABC News reported that unnamed sources had told it the initial intrusion had actually happened more than a year ago and remained undetected since then. The hackers then worked their way through four different segments of OPM systems, ABC said, describing what appears to have been lateral movement by the attackers across the network. And according to the Wall Street Journal, the breach was actually discovered in mid-April during a product demonstration by security vendor CyTech.

CyTech did not immediately respond to a Dark Reading request for comment.

The breach, especially given its widening scope, is sure to focus attention on the use—or lack of use—of encryption to protect sensitive data by government agencies.

According to the OPM, it manages sensitive data on more than 30 million people. The prospect that all, or a lot of the data is unencrypted has already sparked outrage from AFGE and it's almost certain that the agency will get a lot more grief on the issue in coming months.

“Let’s be clear here, the excuses the government uses to not have encrypted all of that sensitive data are wholly unacceptable," said Richard Blech, CEO and co-founder of Secure Channels in a statement. “There is no viable reason for sensitive government data to be left in a database that was cleartext and unencrypted, unless the goal was to have it stolen.”

What’s not immediately clear is how useful encryption would have been in this situation, especially if the hackers accessed the Central Personnel File database using valid login credentials. In that case, the hackers would likely have had the same access to the data and the encryption keys as the legitimate owner of the account.

And also, while encryption might be a best practice, it's not entirely surprising that OPM did not encrypt it, adds Rich Stiennon, chief research analyst at IT-Harvest.

“Encryption is the last line of defense for sensitive data at-rest,” Stiennon says. “But it is still hard for many organizations to pull off, because with encryption comes the headache of key management. Encrypted data, especially in an active database such as that kept by OPM, has to be decrypted on-the-fly when it is accessed,” he said.

An attacker can either attempt to steal the encryption keys along with the database, or simply gain authorized access and suck the data out, he said. “Encryption alone is not enough against a determined hacker. The recent IRS hack is an example of how just using a web front end can be manipulated into giving access to decrypted data.”


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
6/19/2015 | 11:05:14 AM
Re: Encryption is NOT a panacea
Your firewalls don't matter if you allow "root" access to people. Encryption doesn't matter , nothing matters. Privielged access controls were totally absent here...which given the nature of the information and the fact it was thrid partied out to a NON US firm , is frankly, mindboggling. 

I find it distrurbing the amount of data breaches lately and the lack of understanding on HOW the real damage is caused.

Here is a fact to chew on...

100% of all advanced attacks exploit privileged credentials. In this case however, they didn't even have to exploit them because they were given full authorization to access anything they wanted from the get go.

Hello!?!?!? Anyone over at the OPM ever hear of "least privlieged" access policies! Geez.

Scarier yet , even though most in the business would say it's ill advised to offer such carte blanc access to any administrator in the private sector, giving root access to admin's is still quite common in all industries , from small businesses to large mulkti national corporations. 

Ask Sony Pictures, Athem, Premera, and Target. 
User Rank: Apprentice
6/16/2015 | 11:31:32 PM
Re: Encryption is NOT a panacea
I'd like to know what route the attackers took into the OPM network(s), if firewall rules were in place that should have prevented or slowed their access, and how the account and password information was obtained. Was it an administrative direct database access, or access to a front end application? I think it's important for other IT professionals to know this.
User Rank: Ninja
6/15/2015 | 2:44:27 PM
Encryption is NOT a panacea
This compromise was not caused by lack of data encryption practices.  Even if true, data encryption would not have stopped this.

This compromise was conducted using resource accesses that had the necessary credentials and keys to view encrypted data.

The people yelling about encryption shortfalls may have legitimate claims about data-at-rest (DAR) issues, but are coming across as clueless to the real causes for breaches of this magnatude: compromise of data using accesses that have been provided by the system.

I agree, especially on notebook and mobile device platforms, that encryption of data is a good practice if done correctly.  But data encryption is not and will never be a protection against the compromised user account (with access rights) scenario.
What the FedEx Logo Taught Me About Cybersecurity
Matt Shea, Head of Federal @ MixMode,  6/4/2021
A View From Inside a Deception
Sara Peters, Senior Editor at Dark Reading,  6/2/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-13
The package studio-42/elfinder before 2.1.58 are vulnerable to Remote Code Execution (RCE) via execution of PHP code in a .phar file. NOTE: This only applies if the server parses .phar files as PHP.
PUBLISHED: 2021-06-12
Receita Federal IRPF 2021 1.7 allows a man-in-the-middle attack against the update feature.
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-16 package apport hooks, it could expose private data to other local users.