3 Security Lessons Learned From the Massive Government OPM Data Breach

Before we touch on some crucial IT security lessons (and why it’s so important to have consistent monitoring of your systems), it’s time to take a brief break from your regular programming and tune into some geopolitical intrigue.
If you aren’t up to speed on the massive security breach that occurred in the federal government’s OPM computer network recently, here is a brief summary of the Hollywood-like scale of espionage (as if it were a plot from a “Mission Impossible” film) and foolishness (as if it were a “Dumb and Dumber” sequel) that took place:

A Brief Summary of Government OPM Data Breach

• The OPM (Office of Personnel Management) is the Human Resources Department for the entire government — millions of employees — which means it stores identifying information from their invasive background checks for security clearances on a vast number of current and former employees — including every active spy — who works for the government.
• Despite choosing to store these files on networks vulnerable to hacking, the OPM had no IT security staff until 2013. Yes, you read that correctly. This was accurately reported in Wired Magazine. But it gets worse. Much worse.
• The government, as reported by The Wall Street Journal and TechDirt, was not even the one who discovered that they’d been hacked. A cybersecurity vendor — yes, a vendor — was running a sales demonstration for their networks forensic platform at a conference for the OPM. The vendor discovered the active malware mid-presentation while doing the demo. (As TechDirt joked: “Guess their product works, huh? That may go down as one of the most effective product demos ever.”)
• It was then learned, also reported by The Wall Street Journal, that the malware had already been active for a year, and that it had been giving China unfettered access to OPM’s files; and the files were not encrypted. But it gets worse (if you can imagine).
• The government had already given root database access, which gives you unhindered power to obtain files whether or not they are encrypted, to contractors who were working in China for years prior.
• China can now hawk intimate background check information for millions of American government employees to any bidder.
• This compromises the identities of intelligence workers and supplies foreign governments with an abundance of information that can be used for blackmail operations or the destruction of a government employee’s credit.

What We Can Learn From This Security Nightmare

Whether you’re a government agency managing the sensitive files of millions of people or you’re a company with a staff of 30 employees, there are crucial lessons to be learned from the OPM disaster:
1. Don’t wait until a sales demo to run a thorough security check of your systems.

In fact, you should have constant monitoring of your networks. Your IT personnel should be capable of consistent proactive and reactive security monitoring from day-to-day.
2. Be careful how/where you store sensitive information.
Some NATO governments refuse to store their most sensitive data electronically. Although you likely will never have to go the extreme measure of maintaining a warehouse full of paper files, the principle is the same: don’t place sensitive data in highly vulnerable locations that are not secured. In addition, always back-up your data in separate locations that cannot be accessed from your network.
3. Choose a trusted IT security team and insist that they document their security plan in detail.
It’s always a good idea to have your IT team document everything they do in writing for you so that your access to their processes and your understanding of your network security is not dependent on them cooperating with you. And if you’re in a situation where an IT company or a disgruntled employee is holding your data hostage, contact our BITS Rescue Team (Bad IT Service Rescue), and we will liberate your data and return control to you.
Contact us for more helpful tips on IT security and building a fruitful partnership with a managed service provider.