The US Office of Personnel Management has come clean on the full extent of the massive data breach that it first disclosed in June, and it's far worse than what was initially thought.
On Thursday, OPM announced that records including data from background checks of some 21.5 million people – including present, former, and prospective government employees and contractors – have been "exfiltrated" – read, stolen – from its databases.
And by the way, that's in addition to the four million people whose records OPM had earlier admitted to letting slip into hackers' hands.
Those 4.2 million personnel records – which included such items as names, Social Security Numbers, dates and places of birth, current and former addresses, and job assignments – were actually stolen from an OPM database hosted by the Department of Interior.
The much more detailed background check information – which includes all of the above plus information about family members and acquaintances, employment history, health and financial records, interview transcripts, usernames and passwords, and even fingerprints – was taken from OPM's own network in a second incident, and only now is the agency admitting the extent of the leak.
"Certainly, during the Cold War nobody would have thought of OPM as a target for identity theft or espionage," said National Security Council cybersecurity coordinator Michael Daniel during a press conference call on Thursday. "Just the nature of paper files and the way that we thought about information didn't lend itself to that."
That will be little comfort to the millions of people whose detailed background information is now in the hands of ... wait for it ... an unknown party.
Although National Intelligence Director James Clapper has publicly suggested that China is the source of the OPM attack, officials repeatedly dodged reporters' questions about attribution on Thursday, saying only that "investigative work is still ongoing."
"Just because we're not doing public attribution does not mean that we are not taking steps to deal with the matter," Daniel said.
Cost of pwnership
By any account, the attack was one of the worst in history. Of the 21.5 million records stolen, 19.7 million were of people who applied for government jobs, including some sensitive positions in the military and intelligence agencies. The other 1.8 million were mainly their spouses or co-applicants. Around 1.1 million records included fingerprints.
Officials said the attackers first gained access to OPM's network in May 2014 using a compromised username and password of a government contractor. From OPM's network they were able to gain access to the Department of Interior network in October 2014.
They were active on OPM's network through January 2015 – nine months – while they spent about six months prowling through the Interior Department's network, ending in April 2015, when OPM first detected the breach.
According to Andy Ozment, the Department of Homeland Security's assistant secretary of cybersecurity and communications, tracing the intruders on OPM's network was much more difficult than spotting them on the Interior Department's systems, which is why it took this long to disclose the breach to the public.
US CIO Tony Scott chimed in on the call to say that the government has conducted a "30-day sprint" to harden up its security in the wake of the attack. Among the results, he said, was a dramatic increase in the use of two-factor authentication for US government systems.
"A number of agencies have hit 100 per cent, and broadly across the government it's increased by 20 per cent," Scott said.
Embattled OPM director Katherine Archuleta – who said on Thursday that she would not resign, despite calls for her to do so – added that the agency is looking into providing credit and identity theft protection services to everyone affected for the next three years, although she did not give specifics of the plan.
OPM has set up a website with information about the attacks and their consequences for affected people, here.
The National Security Council's Daniel added that attacks like the ones that hit the OPM are "not without precedent," and added that increased cybersecurity was a top national priority as the internet is increasingly being used as a tool by criminals and nation-states.
"The truth is that both in the private sector and in the public sector we have not fully made the shift to what living in a truly digital environment means for how we have to think about the kinds of information that we have, where it's stored, how it's stored, how we're protecting it, and how we need to think of that in a much more integrated fashion," Daniel said during Thursday's press conference. "And I think that's a shift that all of us need to be mindful that we need to continue to make." ®