One of the nation’s largest government employee unions said Thursday that the cyber attack targeting the Office of Personnel Management may have compromised personal information belonging to every current and retired federal employee, putting the number of potential victims much higher than originally thought.
In a letter to OPM Director Katherine Archuleta, the president of the American Federation of Government Employees said it appears that the main personnel database at OPM was the target of the hackers.
“Based on the sketchy information OPM has provided, we believe that the Central Personnel Data File was the targeted database, and that the hackers are now in possession of all personnel data for every federal employee, every federal retiree, and up to one million former federal employees,” wrote J. David Cox in a letter dated June 11. “We believe the hackers have every affected person’s social security number(s), military records and veterans’ status information, address, birth date, job and pay history, health insurance, life insurance, and pension information; age, gender, race, union status, and more,” Cox wrote.
Cox also said the union believes the Social Security numbers compromised were not encrypted, calling it “absolutely indefensible and outrageous.”
In an exclusive interview with FedScoop, Howard Schmidt, the former U.S. cybersecurity coordinator at the White House, said in his current role as a consultant and executive director of SAFEcode he rarely sees organizations using encryption to protect data.
“I get the standard look, ‘oh, what’s encryption?’ Or somebody says, ‘no, encryption is too difficult, we don’t have the CPU cycles, we don’t have the bandwidth.’ And it goes on and on and on,” Schmidt said. “But I know all of that is bunk. If you want to do risk management make sure you have data that is encrypted.”
In addition, the OPM breach has led to calls for the government to move away from the reactive, signature-based intrusion detection system that discovered the breach four months after it first occurred. Information about the breach’s depth was discovered by the Department of Homeland Security’s Einstein system after OPM moved to enhance its security practices in the wake of prior breaches. According to multiple reports, the attack used zero-day exploit, tapping into a previously unknown vulnerability, to gain access to a system.
“If you depend on Einstein or any known malware protection, you’re going to have a failure because what you get is only what you know about,” Schmidt said.
The AFGE is calling on OPM to offer all affected employees free lifetime credit monitoring and liability insurance that covers any loss attributable to the breach. OPM had recently said it would provide 18 months of credit monitoring and up to $1 million liability insurance.