Six months ago, the US discovered that China hacked into the records of the Office of Personnel Management, stealing the excruciatingly personal data from everyone employed in the federal government, and everyone granted a security clearance too. At the time, it was called the Pearl Harbor of cyberwarfare, but later it turned out that the hack lasted over a year, not a single Sunday morning. OPM didn’t even have an IT department until the year before the hack began, which is why OPM had outsourced its IT management to a firm based in … China. The true scope of the hack is still somewhat ambiguous, but at least it was a learning experience for OPM. Right?
To a large extent … wrong, according to an Inspector General audit of OPM released two weeks ago:
The Office of Personnel Management (OPM), victim of a massive data breach in July in which personal records of 21.5 million individuals were compromised, continues to struggle to meet security requirements, according to an audit by OPM’s Office of Inspector General (OIG).
The audit found that the OPM has made some progress improving security practices. But it found the agency lacking in many areas. …
“In the wake of this data breach, OPM is finally focusing its efforts on improving its IT security posture,” the report continued. “Unfortunately, as indicated by the variety of findings in this audit report, OPM continues to struggle to meet many FISMA requirements.”
The OIG said the audit shows an “overall lack of compliance that seems to permeate the agency’s IT security program.”
Not only are they “struggling,” in some cases they didn’t even get around to doing a security assessment after the hack:
The agency showed poor judgment by delaying a full security assessment while it migrates applications into a new technical infrastructure, the audit said. “Combined with the inadequacy and non-compliance of OPM’s continuous monitoring program,” the audit said, “we are very concerned that the agency’s systems will not be protected against another attack.”
Among the findings, OPM has up to 23 systems that have not been subject to a thorough security controls assessment. “Combined with the inadequacy and non-compliance of OPM’s continuous monitoring program, we are very concerned that the agency’s systems will not be protected against another attack,” the OIG said.
On the plus side, OPM announced on Friday that they had finally gotten around to notifying most of those whose personal information got hacked — 93% of them, to be exact. That only leaves 1.5 million people who still don’t know:
“The intrusions, linked to China, began in May 2014 and were not discovered and announced publicly until a year later. The postal notifications should be received by the middle of next week, but about 7.0 percent of those hacked, or roughly 1.5 million people, could not receive notification letters because their addresses have changed or are not on file, Office of Personnel Management said. The hack exposed names, addresses, Social Security numbers and other sensitive information for current and former federal employees and contractors, as well as applicants for federal jobs and individuals listed on background check forms,” stated by Cybersecurity reporter at Reuters, Dustin Volz.
The Office of Personnel Management spokesman, Sam Schumach, claimed the company was going to wash up the 7 percent and get as close to 100 percent as possible calling 93 percent notification a really high proportion. The Office of Personnel Management will not trust on only sending out email notifications to the victims.
They tried to notify some by e-mail, but, er …
OPM will not rely on email notifications to close the gap. Victims of a smaller, related OPM hack were notified by email and given instructions about what to do, but some experts said the emails unfortunately resembled a phishing scam.
In other words, it’s not exactly the A-team working on this crisis. Let’s not forget that OPM still has the sensitive personal data of everyone working for the federal government as well as the raw investigative files for security clearances. It remains a target, and yet it doesn’t appear that OPM is taking that very seriously. Still.