Federal Government Hacked: Lessons for HR

Experts say hackers may target employees for additional information

By Aliah D. Wright June 12, 2015

Cyber wa​​rfare, apparently, is getting personal.

This according to experts who say that the millions of past and present federal employees whose personal data was stolen in the U.S. Office of Personnel Management (OPM) cyberattack on June 4, 2015, may have been targeted because of who they are and what they know.

As HR and IT personnel for the government scramble to determine the extent of the damage and notify about 80 percent of federal workers that hackers may have stolen their names, Social Security numbers, addresses and other information, experts tell the Society for Human Resource Management that it’s important to determine the motive behind the attack.

What could hackers want with this information? To commit identity theft? Fraud? Blackmail? Discover who has more sensitive data than others? All of the above, experts say.

“Employee and health care data (as opposed to cardholder data) are increasingly targeted for theft and no one is sure why that is happening,” said Mike Fleck, CEO and co-founder of CipherPoint Software, a data security software vendor. “Since every organization has an HR department, it will be critical for all of us to know the motivation behind this shift.”

For its part, OPM said it was in the midst of installing new cybersecurity software when it discovered this attack.

“Within the last year, OPM has undertaken an aggressive effort to update its cybersecurity posture, adding numerous tools and capabilities to its networks,” the agency wrote in a statement on its website. “As a result, in April 2015, OPM became aware of the incident affecting its information technology (IT) systems and data that predated the adoption of these security controls. “Since the incident was identified, OPM has partnered with the U.S. Department of Homeland Security’s U.S. Computer Emergency Readiness Team (US-CERT), and the Federal Bureau of Investigation to determine the impact to federal personnel. And OPM immediately implemented additional security measures to protect the sensitive information it manages.”

But is that enough?

Speaking to CNN shortly after the hack, Hemu Nigam, a cybersecurity expert, told the cable news network that the federal government was “about 10 years behind where they should be on security protections.” He added that the perpetrators of the attack could be amassing data on individuals they could target to disclose certain types of additional information.

“This digital warfare isn’t just war between people in uniform, it’s now becoming personal,” Nigam said.

After all, some experts say insider threats are becoming a huge problem. Sixty-two percent of organizations report insider threats during the previous year and 45 percent of enterprises have no idea how many insider threats actually occurred in their organization, according to a new report released June 10, 2015, from Silicon Valley-based Bitglass. Bitglass helps organizations track data outside of firewalls such as cloud applications and mobile devices.

Some 70 percent of 500 respondents who were queried on insider threats, including 500 IT executives, said determining the actual damage of insider threats is difficult. Additionally, only 25 percent of enterprises report monitoring abnormal user behavior in the cloud.

What Can HR Do?

“By their very nature, HR departments are a treasure trove of data, as they’re responsible for protecting employee information ranging from home addresses to Social Security numbers,” data security expert Nigel Johnson of Zix Corporation, which provides e-mail data protection solutions, told SHRM Online.

“This sensitive information needs to be transferred both internally and externally, and without the proper security measures in place, HR is a sitting duck for data breaches,” he said.

“To ensure data security, it’s crucial for companies to nail the basics, including proper training of employees that come in contact with sensitive information and implementing the right tools, such as e-mail encryption and data-loss prevention technology. It is up to HR and IT to work together to ensure the right data-protection tools are in place and training is thorough so, at the very least, the communication of sensitive information is secure.”

Data security is a misnomer, added Charles Foley, CEO of the IT security company Watchful Software.

“This latest breach is a clear signal that you will never be able to ensure complete security of the perimeter,” he said. “As a result, the effort needs to shift from perimeter-centric to information-centric security with a renewed focus on information encryption and protection. It needs to start from the basis that your network will be breached.

“We’ve opened up too much, without securing what is inside. The evolution of [bring-your-own-device] and cloud means that there is no perimeter and people can, will, and must be able to come and go across that former perimeter in order to communicate and be effective. This brings the benefit of real-time information flow, with the risk of breach.”

He said high-value targets need to be identified, as well as “potentially [toxic] information that could cause damage if leaked. This information needs an added layer of security, being encryption; an encryption that is real-time, based upon who is attempting to access this information. With this type of approach, if the Chinese breached the network, and stole data, what they would have stolen is encrypted data. Encrypted data might still be stolen but if it can’t be decrypted, the damage is mitigated.”

Fleck agreed.

“We’ve been trying to secure environments from the outside in since the late 1990s and it hasn't worked yet. We need to place much more emphasis on first securing the data, and HR has some of the most sensitive data within the enterprise,” Fleck said.

“This starts with HR leaders getting a new baseline for risk tolerance. HR leaders have massive influence over the security of their systems and data, and they can provide the business driver that IT security departments need in order to justify the resources required to improve security. Stop thinking about risk in terms of whether or not an attacker can compromise your network; instead evaluate risk knowing that attackers have already compromised your network and they are actively looking for high-value information to steal.”

Studies reveal that data breaches result in multimillion dollar losses and instances of cyber warfare are only going to increase. One expert said that perhaps the solution lies in getting “off the grid.”

“The fact is, no matter what you do for security someone will be able to breach it,” Ben Levitan, a wireless cellular telecommunications expert, told SHRM Online. “If it’s designed for you to get in, then anyone can figure out how to get in. Even if you burden people with biometric security, a ‘door’ is meant as an entrance. The only real solution is to get off the grid,” he said.

For example, he continued, “many law firms now forbid their office networks from being connected to the Internet. Their employees are forbidden from using the Internet. All the databases that are needed are now local. For example, all the ‘case law’ databases that are available from major websites are now brought in on DVDs and loaded on company servers. All personnel records are kept at the local office.”

Levitan added, “I would foresee the rise of the ‘dumb terminal’—simple computers with little to no memory that are used exclusively to surf the Internet. They are standalone devices that you don’t connect to your main computer or office network.”

Although very early 1990s, perhaps, this could help curb the data breach problem.

Aliah D. Wright is an online editor/manager for SHRM.


Job Finder

Find an HR Job Near You
Search Jobs


Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 10,000 companies

Search & Connect

HR Daily Newsletter

News, trends and analysis, as well as breaking news alerts, to help HR professionals do their jobs better each business day.