The National Journal recently put together a timeline of government data breaches that looks specifically into the OPM data breaches and how they all tied together. In particular, it paints a picture of the importance of taking contractor data breaches more seriously.
As we discussed earlier, there were many security oversights at OPM that ultimately opened the door for hackers. Looking at this timeline, it is clear that one of those oversights has to do with contractor security. The timeline examines the hack / breaches at USIS and KeyPoint, both OPM contractors at the time of their breaches. Following the USIS breach, OPM terminated its contract and the contractor later went bankrupt. Following the first KeyPoint breach, OPM continued its relationship; KeyPoint suffered a second data breach.
In each of these cases, the type of material breached had a large impact on OPM. Hackers who targeted USIS made off with information about OPM servers (even if it was “outdated” or generalized). Security credentials stolen from one of the two KeyPoint data breaches was tied directly to the OPM hack that began in October.
It’s not clear if these contractors were targeted in order to gain access to the OPM, or if information gleaned from the earlier data breaches was used opportunistically to target OPM. What we can learn here, however, is that contractor data breaches must be paid careful attention. Most discussions of data breaches focus on the consumer or employee information breached, not how breached information could be leveraged against associated organizations. Security credentials, network access, shared passwords, or a wealth of data that could be exploited in a phishing scheme could have serious implications for other organizations.
If any of your contractors suffer a data breach, it’s a good idea to immediately review authorization and access as your own organization. We offer the following tips on how to react to a data breach with external partners: