Federal Employees Sue Over Massive Breach

     WASHINGTON (CN) – The record-setting cyberattack on the U.S. Office of Personnel Management evinces a failure to take yearly audits to heart, government employees claim in Federal Court.
     It has been nearly a month since OPM announced that hackers had breached its vast store of personnel and security files created for anyone applying for government work. Though OPM announced the breach on June 4, the agency has since admitted that it detected the intrusion as early as April, the American Federation of Government Employees notes in a June 29 complaint.
     The union and two government employees affected by the breach say that OPM “was on notice” about its vulnerability to a breach since the agency received “10 million confirmed intrusion attempts targeting its network in an average month” leading up to the April attack.
     Information about the scope of the breach continues to emerge.
     Just last week, “CNN reported that these numbers continue to increase, and that the OPM Breach potentially affects 18 million federal applicants,” according to the complaint.
     The union says OPM’s cybersecurity software fell short of federal standards, and that the team tasked with monitoring the systems did not perform the maintenance necessary to keep the programs running smoothly.
     Such sloppiness is a bad fit for an agency tasked with managing the software system known as the “electronic Official Personnel Folder,” according the complaint.
     The union notes that this “eOPF file” contains employee-performance records, federal job applications, Social Security numbers, addresses and birth certificates, among other personal information.
     Annual audits by OPM’s Office of Inspector General have allegedly identified “material weakness[es]” as far back as 2007.
     “The OPM not only failed to cure the weaknesses, but the OIG found that in many areas the OPM’s performance actually got worse,” the complaint states. “According to a 2014 OIG report, the ‘drastic increase in the number of [software] systems operating without valid authorization is alarming and represents a systemic issue of inadequate planning by the OPM offices to authorize the [software] systems they own.'”
     In November 2014, the federal auditor faulted OPM over its “failure to use Personal Identification Verification Cards for multi-factor authentication in all major software systems,” the complaint notes.
     This two-part authentication would “ensure that only authorized users have access to secure software systems” since it requires anyone trying to access the database to input a password and a card with a computerized chip in it, the union says.
     The OIG’s last audit also “found that only 10 of 21 software systems due for authorization were completed on time,” according to the complaint.
     OPM operated “over 65 percent of all software systems” in two of the major support systems lacking authorization, the auditor allegedly warned.
     That audit concluded “that the OPM’s software systems were so vulnerable that … the OPM should consider largely ‘shutting [them] down,'” the complaint states
     Among other deficiencies, the auditor cited insufficient risk-management policies and scanning programs to identify weaknesses in security software, the union claims.
     That report also allegedly found OPM’s cybersecurity programs had not been tested in eight years.
     “Despite the OPM’s ‘history of struggling to comply with FISMA requirements’ and failure to take recent steps to secure its software systems, the OPM continues to insist it did nothing wrong,” the complaint says.
     The union speculates that the hackers, thought to be operating from China, acquired “information about workers’ sexual partners, drug and alcohol abuse, debts, gambling compulsions, marital troubles, and any criminal activity,” along with Social Security numbers and other information that could be used in identity theft.
     Joining the union as plaintiffs are Adam Dale, a former U.S. Social Security Administration attorney adviser, and Robert Crawford, an operating practices inspector for the Federal Railroad Administration.
     “Since 2007, officials at OPM have been alerted to their lackluster data security policies and protocols and failed to take appropriate steps to safeguard the information,” the union said in a statement about its filing. “Although they were forewarned about the potential catastrophe that government employees faced, OPM’s data security got worse rather than better.”
     OPM offered credit-monitoring services to its employees in the wake of the breach, though phishers quickly mimicked the emails the agency sent advertising the service, potentially compromising more personal information, according to the complaint.
     In addition to OPM, the suit names as defendants the agency’s director, Katherine Archuleta; Chief Information Officer Donna Seymour and Keypoint Government Solutions.
     Keypoint is a government contractor that undertook federal background checks at the time of the breach.
     The defendants declined to comment on the pending litigation.

Exit mobile version