The FBI are currently investigating the latest major data incursion into the heart of US Government announced today, as hackers (believed to originate in China) are suspected of the latest large scale ‘cyber intrusion’ into US personnel records, which has sent nervous ripples around the Pentagon.
The Office of Personnel Management which holds the records for other departments of US federal workers across the States, today sent out notifications to around 4 million employees warning them that some of their personal information may have been compromised. This includes employment details, medical records and financial information.
The security community believes that the profile of the attack emanates from either Russia or China, due to the sophistication of the attack and the type of data taken.
This goes way beyond just a criminal act and into the murky world of nation state cyber espionage. To succeed requires nation state backing and sophisticated resources. Indications are believed to show that the penetration began 6-8 months ago. The concern here is that some of the data belongs to individuals in high positions of trust in Government circles and may lead to them being threatened, coerced or compromised in future.
To counter this, the US Government has launched a high priority effort to make users use two factor authentication PIV cards (smartcard with chip) as a first phase defence. A second step, is to move to separate authorised users from being able to re-configure the system or networks as part of the same process. This would be done through creating entitlement privileged management separation processes to create more physical barriers to penetrating central systems.
Big or small, companies need to defend against increasingly sophisticated intrusions and commit to higher scrutiny of systems and investment in data defence. There is no single fix any more.
Responsibility of the Data Controller to manage an individual’s records whether digital or manual weighs heavily on commercial businesses and organisations of every hue and sector. Ignorance is not a defence, though good security and governance can make for a softer fall.