The US agency plundered by Chinese hackers made one of the dumbest security moves possible
AP
The massive breach of OPM's database - made public by the Obama administration earlier this month - prompted speculation over why the agency hadn't encrypted its systems, which contain the sensitive security clearance and background information for intelligence and military personnel.
Encryption, however, according to Ars, would not have helped in this case because administrators responsible for managing these records had root access to the system, Department of Homeland Security Assistant Secretary for Cybersecurity Dr. Andy Ozment testified yesterday at a 2-hour hearing before the House Oversight and Government Reform Committee.
And it turns out that a systems administrator responsible for handling the agency's records "was in Argentina and his co-worker was physically located in the [People's Republic of China]," a consultant who worked with an OPM-contracted company told ArsTechnica.
"Both had direct access to every row of data in every database: they were root."
Experts and politicians are now lambasting the US government for the way agency handled IT security.
"OPM is right in general that encryption is not magic security butter," Dave Aitel, CEO of cybersecurity firm Immunity, Inc., told Business Insider. "But the committee is also right in that OPM was massively negligent."
All told, 65% of OPM's data was stored on systems lacking proper security certification, Ars reports, meaning the data was vulnerable to far more people than just those with root access and valid login credentials.
"They [the unsecured systems] were in your office, which is a horrible example to be setting," House Oversight Chairman Jason Chaffetz (R-Utah) told Archuleta during the hearing.
"OPM's data security posture was akin to leaving all your doors and windows unlocked and hoping nobody would walk in and take the information," Chaffetz added.
The OPM IT team frequently outsources its work to foreign contractors working in their home country. Those holding Chinese passports are no exception.
"Another team that worked with these databases had at its head two team members with [People Republic of China] passports," the consultant told Ars. "I know that because I challenged them personally and revoked their privileges."
"From my perspective, OPM compromised this information more than three years ago," he added. "And my take on the current breach is 'so what's new?'"
In fact, the breach was unprecedented in its breadth and scope: "Security-wise, this may be the worst breach of personally identifying information ever," Michael Borohovski, CEO of Tinfoil Security, told Business Insider on Friday.
REUTERS/Gary Cameron
The OPM also "conducts more than 90% of all federal background investigations, including those required by the Department of Defense and 100 other federal agencies," Reuters reported last week.
Experts fear the stolen information could be used by the Chinese government to blackmail, exploit, or recruit US intelligence officers, compromising the success and safety of agents operating at home and abroad.
- 6 reasons why you should visit Ladakh this summer
- TVS iQube gets a new variant priced under ₹1 lakh, ST variant gets a bigger battery
- As English players begin their premature IPL exodus, Gavaskar calls for action against England Cricket Board
- Top 10 destinations for river rafting in India in 2024
- Should you enrol your child in an online university like IGNOU?