Last night it emerged that hackers breached the personal records of as many as four million US federal employees, in what is among the largest known thefts of government data in history.
Investigators suspect that hackers based in China are responsible for the attack, though the Federal Bureau of Investigation is continuing to probe the breach detected in April at the Office of Personnel Management- the agency that functions as the federal government’s human resources department, managing background checks, pension payments and job training across dozens of federal agencies.
The breach is the third major intrusion into US government computer systems in the past year. Last year, the White House and State Department found that their email systems, including some of President Obama's unclassified emails, had been compromised in an attack attributed to Russian hackers.
> See also: The decade of the data breach – how to cope
And last summer, it emerged that hackers had attempted to swipe the files of tens of thousands of employees who had applied for top secret security clearances, also traced back to China.
Attacks against high profile targets by nation states are becoming increasingly common, and while the exact identity of the US's latest attacker may never be 100% confirmed, experts such as Piers Wilson, product manager for Huntsman Security, believe that an attack on this scale by a well funded and skilled adversary should not come as a surprise at this point.
'From ongoing attacks within Europe, to Stuxnet, to the US’s own alleged attacks against North Korea, cyber-attack is firmly entrenched as a 21st century battlefield,' said Wilson. 'However, organisations shouldn’t think that such attacks are only focused on governments and their networks and systems. Like any attacker, a government will attack any target that can benefit it; from opposing nations, to their critical infrastructure, to businesses that it can sabotage or steal valuable information from. What this attack has again shown is that high value, sensitive data (such as employee/HR records) can be at risk as well as valuable intellectual property and other business information.'
Mark Bower, global director, HP Security Voltage said theft of personal and demographic data, such as in this case, allows one of the most effective secondary attacks to be mounted: direct spear-phishing to yield access to deeper system access, via credentials or malware thus accessing more sensitive data repositories as a consequence.
These types of attacks bypass of classic perimeter defenses and data-at-rest security and can only realistically be neutralised with more contemporary data-centric security technologies adopted already by the leaders on the private sector. Detection is too late, but prevention is possible through data de-identification technology. Why is this attack significant?
'Beyond spear-phishing, knowing detailed personal information past and present creates possible cross-agency attacks given job history data appears to be in the mix,' says Bower. 'Thus, its likely this attack is less about money, but more about gaining deeper access to other systems and agencies which might even be defense or military data, future economic strategy data, foreign political strategy, and sensitive assets of interest at a nation-state level for insight, influence and intellectual property theft.'
So how do these breaches keep happening? James Maude, security engineer at endpoint security software firm Avecto, thinks the spate of federal government breaches underlines the fact that current cyber security defences are not sophisticated enough to prevent infiltration, even when it comes to supposedly highly secure classified networks.
Not to mention, said Maude, these recent attacks show just how serious the consequences of cyber-attacks can be, it is not just an attack on an organisation but can impact individuals. Federal employees will be especially concerned as OPM will store highly detailed information that would be more than enough to identify someone, compromise their identity or monitor them.
> See also: New York Times claims breach by Chinese hackers
'Sadly, this attack is not a unique event with organisations across the globe being hit by data breaches on an hourly basis,' said Maude. 'What is often clear in these attacks is that most current defences are not sufficient to deal with the attacks. Many still rely on signature based detection to identify the known bad, an idea that is fundamentally flawed and unable to keep up with the volume of attacks.'
Another big problem is over privileged users – in government this is often referred to as 'the Snowdon problem' where users are given wide reaching powers and access with little or no oversight. When threats cannot be identified and users can access too much, warned Maude, you create the perfect environment for a data breach.
'It is time for organisations to start to rethink security and become proactive,' said Maude. 'The focus needs to shift from blame and attribution to a more productive environment of evolving defences and becoming proactive in defence. Security is a journey, not a destination and pointing the finger of blame does nothing to move your own security further down this road.'