Massive Federal Breach Impacts 21.5M People, Highlighting Need For More Government Security Investment
Ramin Edmond and Sarah Kuranda
The impact of the massive data breach at the U.S. Office of Personnel Management (OPM) was bigger than previously thought, with the government revealing Thursday that hackers stole sensitive personal information from 21.5 million federal workers and contractors. Solution providers said the revelation should serve as a wakeup call for how the government approaches and invests in security technology.
The breach was discovered in late May after a separate, unrelated breach hit the agency in April, exposing the personnel data of 4.2 million individuals. After a deep, interagency investigation into the second incident, investigators found with "high confidence" that 21.5 million individuals were affected, including 19.7 million individuals who had applied for a background check and 1.8 million others associated with those applicants.
The information exposed includes sensitive background information, including Social Security numbers, residency and educational history, employment history, information about immediate family and other personal and business acquaintances, health, criminal and financial history, and more. Of the total individuals affected, 1.1 million individuals had their fingerprint information exposed, the investigation found.
Individuals affected include those who had a background check with OPM since 2000, though those who underwent investigations before that could still be affected.
Solution providers said that the news should spur the federal government to invest heavily in improving its security technology. Steve Halligan, president and chief operating officer of Washington, D.C-based N2Grate, a data center and cloud solutions provider in the federal IT market, said it's instances like these that solidify the need for government agencies to "have security at the foundation of everything," and have it be the top priority in terms of funding.
"Customers should first think of their security approach and fund that before allocating things on their priority list," Halligan said. "Security needs to be the top priority because the ramifications are so great. We all have needs and wants, but you have to focus on the needs. Security needs to be a top priority in funding. Federal agencies can have limited resources to cover their needs and may not cover security as well as they should."
In its announcement, the OPM said that, in addition to providing monitoring and protection services for those affected, it would be taking "aggressive action" to boost its cybersecurity systems. In particular, the agency said it would be taking steps to leverage outside expertise, modernize its systems and ensure internal accountability. As part of a 30-day cybersecurity sprint and a 90-day interagency review, the agency said it would also deploy two-factor strong authentication for all users, expand continuous monitoring and hire a cybersecurity adviser.
Those steps present a massive opportunity for solution providers, said Steve Katsman, chief information officer and senior vice president at Philadelphia-based Micro Technology Group. As the scale of the breach moves security up the federal priority list, Katsman said, he expects he will see more opportunity to drive sales around security to federal and corporate clients.
"What it means to people in my field is that 'security' in all its facets will become an even bigger topic in the industry than the 'cloud,' since the security aspect is going to start hitting home on an individual as well as corporate level more and more each week," Katsman said in an email. "This also means that products, services and companies able to assist in this space will see an ever increasing demand for their services as well as demand to help improve visibility and accountability for the various products as the attacks keep getting more sophisticated."
However, Halligan said he is a little skeptical that this breach, despite the fallout, will lead to a dramatic change in the way government organizations handle their security practices. He noted that with the frequency of breaches occurring today, instances such as these are quickly forgotten.
"These things sometimes flare up and die down," he said. "This one hits closer to home on personal information in a government agency. I don't see this being a compelling event to change federal security posture. I just don’t see this OPM thing being a huge compelling event to change things. The reality is, people will say this was a policy breach that allowed someone to get in and do whatever. An agency will say we need to be tighter ... but these things continue to pop up."
The OPM said it would be sending notifications to those affected by the breach with information on next steps. It said it will also be providing monitoring and protection services for three years for those affected as well as rolling out an online cybersecurity incident response center and call center. The agency also said it will be rolling out credit and identity theft monitoring services in the coming months for all federal employees.
PUBLISHED JULY 9, 2015