Fallout From OPM Breach Continues
Not surprisingly, the fallout from the OPM breach continues. Here are a few new items in the news after OPM Director Archuletta was basically fired.
- The OPM has changed it’s privacy policy to allow investigators to probe it’s databases. This happened after the discovery of “significant entryways” for hackers in at least 3 more databases. The change allows external agencies, contractors and any “appropriate persons and entities” to access OPM systems. This could be worse than the attack because I don’t have a lot of confidence that the OPM will manage this well.
- While the OPM picked a contractor to help them manage the first breach in a day, under the table, with no bids (and took a lot of heat over it), they put out an RFI last week for this breach. One of the potential bidders is LifeLock, although they may be low on the list due to their new problems with the FTC. Preliminarily, they want to pick a vendor on August 14th, with notices going out starting the next week. This points to how hard it is to get ahead of the breach steamroller if you did not plan ahead.
- Lawmakers are asking the GAO to review how effective credit monitoring is in this situation. Also, how adequate it is. I have said before it is mostly useless and totally inadequate. We will see what the GAO says. Unfortunately, I am not aware of any product on the market that would work well in this case. They are also asking if these services make you more vulnerable in the future (as I suggested yesterday with LifeLock).
- Questions are being asked if the hackers might have been able to change security clearance information – either questionnaires or status. The OPM would not say, meaning that they cannot assure us that the hackers could not do that. If the integrity of that information is suspect, that is a BIG problem.
- Valerie Plame, former CIA operative and now author, who herself was outed by President George Bush’s staff as retaliation for comments her husband Joe Wilson made, said that the attackers “are going to be able to exploit this information for decades.”. Unfortunately, that is an understatement.
- Some people have blasted the White House for not identifying the Chinese as the source. Here is the reasoning. The NSA does exactly the same thing. Hopefully, they don’t get caught. If we start indicting the Chinese for this, they will likely point out that we do it to – probably with some evidence. We don’t want another Snowden.
- Lastly, the OPM is telling agencies that they are going to share in the OPM’s pain. In particular, they are going to pay for the cost of dealing with the breach. Given this breach will likely cost the OPM hundreds of millions and the government does not buy insurance, someone has to pay for it. The agencies are not happy, but also not surprised that they will have to write some big checks.
It’s gonna get even messier before we clean this stuff up.
Information for this post came from IAPP, the International Association Of Privacy Professionals.