I’m sure you’ve seen this one in the news already. I have resisted commenting immediately, so that we can all take a step back and avoid knee-jerk, reactive comments.
21.5m USA federal employees and associates PI lost
Breach occurred over 12 months
In a nutshell, the personal data of 21.5m US government personnel was pilfered for more than 12 months. This included names, addresses, social security number (similar to the UK National Insurance number), position in the government and biometric data. Foreign contacts were also in the data haul. Background checks for the last 15 years, of friends, associates and information required for security clearance roles were lost. This information may potentially expose federal employee’s to unfavourable actions.
There were either no or insufficient controls in place to protect the data, control access, detect data leakage or detect malware. Apparently it was only due to a security tool demonstration that the breach was discovered at all.
Source : http://www.prweb.com/releases/2015/06/prweb12787823.htm
The fallout has been severe; Katherine Archuleta, The Director of the US Office of Personnel Management has resigned in the wake of further revelations about the scale of the hacking attack on the agency. She had been in the role for two years. The insecurity of OPM services was already known and documented in an earlier audit by the US Inspector General as unsafe, some as far back as 2007. The Director accepted the risk and kept the servers running without sufficient mitigation. Other findings included using servers that were unable to employ encryption and inadequate authentication.
Audit recommendations not properly mitigated
Although there was an upgrade plan underway, her mitigation strategy was not-fit-for-purpose and did not reflect the risk and vulnerabilities at the OPM.
This has echoes of the 2014 Target Breach, where management were aware of serious issues, but under-played and ignored advice. This neatly highlights the fact that you can have independent audit, but if the risk is not owned by the board, properly interpreted and mitigated, you are leaving your organisation (or indeed country) open to threats.
I have also deliberately avoided the more political aspects of this breach; It is the duty of all countries to spy on another, for gain, for war and for peace. Blaming one country or another for your own failings is disingenuous at best and totally blinkered to the realities of our world.
Further reading
https://www.opm.gov/cybersecurity/
http://www.cio.com/article/2947453/data-breach/how-opm-data-breach-could-have-been-prevented.html
http://www.cio.com/article/2945425/data-breach/the-opm-lawsuit-will-only-make-the-lawyers-rich.html