Massive data breach in the United States highlights consequences of inadequate data security
June 19, 2015 |
Data breaches by hackers have evoked significant adverse publicity for the organisations affected and understandable concern of those whose personal information was viewed and taken. Breaches of Sony Pictures and Target have resulted in considerable financial losses not to mention reputational damage for those brands. Breaches of Government networks are equally damaging, if not more so. Data held by authorities often relate to everyday individuals. There is a high potential of identity theft if enough personal information of an individual is taken. There are other impacts, such as being profiled and monitored, if the intent ifs non economic, as often occurs with hacking by other countries. What is often not mentioned in reports of these data breaches is that the breaches themselves are almost invariably due to poor cyber security practices such as failing to patch security programs, not fixing well known vulnerabilities, giving third parties with poor security practices access to a network and poor staff training. Inadequate security practices were behind the recent massive breach of the United States Office of Perosnal Management (OPM). The OPM has a large database of personal information of US federal employees though it could also affect personal information of private citizens. The Economist’s article Put up the firewalls makes it clear that the breach was avoidable and the measures to detect the hack once the breach occurred were inadequate. It is a familiar story brought about by a combination of poor practices and inadequate enforcement of regulations.
The article provides:
WHEN it comes to Chinese hacking, Americans cannot say they were not warned. In January James Clapper, the director of national intelligence, told a technology conference in New York that “China has been robbing our industrial base blind, largely with vulnerabilities that are easy to guard against or to simply fix.” They are, he said, “cleaning us out, because we know we’re supposed to do those simple things, and yet we don’t do them.”
On June 4th his point was proved when the Office of Personnel Management (OPM), the government’s recruitment agency, revealed that the personal records of some 4m current and former federal employees had been stolen by hackers. The thieves are thought to be from a group connected to the Chinese government. Their attack, which was uncovered in April, apparently took place over several months and exploited long-known holes in the OPM’s technical systems.
What information was stolen is not fully known yet. But it seems likely to include Social Security numbers, job assignments, performance ratings and training information. It may also include financial records and details of security clearances, some going back decades. That none of it seems to have yet appeared for sale on the shadier corners of the internet—despite the fact that Social Security numbers can be used to apply for credit cards and the like—supports the argument that this attack was espionage rather than mere cybercrime.
The vulnerability of the OPM was well-known. A report last November by the Office of the Inspector General noted that, among other failings, the agency did not use multi-factor authentication to access its systems. Such tools—common in online banking and e-mail services—typically require users to enter a one-time code, often from a text message sent to their phone, to log in. This frustrates hackers using “spoofing” or “spearphishing” to trick users into handing over their passwords.
What might the Chinese want with a trove of data about American federal employees? James Lewis of the Centre for Strategic and International Studies, a think-tank, argues that the aim is to build a “gigantic biographical database”, which could be mined to find potential information sources or weaknesses. American intelligence agencies collect such data on Chinese and Russian targets, he says. Civilian agencies such as the OPM are attractive to hackers because, unlike military or defence agencies, their computer systems tend to be less well-protected.
This is hardly the only time America’s government has been broken into. On June 8th the Syrian Electronic Army, an outfit linked to Bashar Assad, briefly took over the US army’s website. In April officials admitted that, last year, Russian hackers got deep into the State Department’s unclassified computer system, downloading e-mails, including some sent by Barack Obama. Hackers of various hues have also breached the systems of private firms. Some reports suggest that the group behind the OPM hacking was also responsible for stealing millions of records from Anthem and Primera, two large health insurers, earlier this year.
Publicly, the White House has so far refused to blame the Chinese for the attack on the OPM. The Chinese, too, have notaccepted responsibility. At the end of June Chinese and American officials are due to meet for the seventh Strategic and Economic Dialogue in Washington, which neither side wants overshadowed with rows about spying. Unlike industrial espionage, hacking of government agencies to gain information is generally considered acceptable. The question for American officials is how to stop making it so easy.
[…] Massive data breach in the United States highlights consequences of inadequate data security […]