100 word response due 1/13/2023
An event that occurred as a result of failed governance was the Office of Personnel Management’s (OPM) breach in 2015 (OPM, n.d.). The OPM is tasked with vetting applicants for several public and private sector government-associated job posts. In 2015, it was reported that the data of 21.5 million current and former Federal government, contractors, and other employees had been stolen, including full names, home addresses, and social security numbers. The breach was that of the background investigation databases, which consequently include non-applicants such as co-habitants or spouses, as such disclosures are required for clearances.
The attack began back in 2013 when the first wave of hackers breached OPM and was able to obtain IT system architecture information. A contractor,
KeyPoint, had been breached, and the credentials stolen from this contractor were used to breach the OPM network finally. Using the backdoor they had created, they could obtain the personnel records. While several precautions could have been implemented due to the first breach, where the attackers were able to ascertain IT details, the most significant failure pointed out by [report?] is the lack of two-factor authentication. Had they implemented this, the attackers would have been blocked even with the credentials they had stolen from KeyPoint. Multi-factor authentication is highly recommended as good practice by IT domains. It is one of the most commonly used ways to mitigate the risk associated with stolen credentials by providing a layered approach to securing data (CISA, n.d.).
Proper governance could have prevented the secondary attack, starting with multi-factor authentication and ending with proper investigation and placement of safeguards after the first breach. The potential of a secondary attack was there, but the risk wasn’t adequately mitigated. There were no immediate actions or plans to counter the weaknesses identified in their systems at the time. These applicants are stakeholders who, by providing their data, they are expecting the entity charged with processing and safekeeping said data would have processes in place to do so. OPM Breach Announcement link: