Why You Should Always Be Concerned About Contractor Breaches

The National Journal recently put together a timeline of government data breaches that looks specifically into the OPM data breaches and how they all tied together. In particular, it paints a picture of the importance of taking contractor data breaches more seriously.

As we discussed earlier, there were many security oversights at OPM that ultimately opened the door for hackers. Looking at this timeline, it is clear that one of those oversights has to do with contractor security. The timeline examines the hack / breaches at USIS and KeyPoint, both OPM contractors at the time of their breaches. Following the USIS breach, OPM terminated its contract and the contractor later went bankrupt. Following the first KeyPoint breach, OPM continued its relationship; KeyPoint suffered a second data breach.

In each of these cases, the type of material breached had a large impact on OPM. Hackers who targeted USIS made off with information about OPM servers (even if it was “outdated” or generalized). Security credentials stolen from one of the two KeyPoint data breaches was tied directly to the OPM hack that began in October.

It’s not clear if these contractors were targeted in order to gain access to the OPM, or if information gleaned from the earlier data breaches was used opportunistically to target OPM. What we can learn here, however, is that contractor data breaches must be paid careful attention. Most discussions of data breaches focus on the consumer or employee information breached, not how breached information could be leveraged against associated organizations. Security credentials, network access, shared passwords, or a wealth of data that could be exploited in a phishing scheme could have serious implications for other organizations.

If any of your contractors suffer a data breach, it’s a good idea to immediately review authorization and access as your own organization. We offer the following tips on how to react to a data breach with external partners:

1. Harden access: Ensure access to internal systems requires strong authentication, and apply strict limits on information available to the outsider. Experts recommend two-factor authentication techniques, such as a combination of a token and a password, for external access.
2. Isolate access: Cordon off externally-accessed systems and networks from the rest of the internal network using internal firewalls (similar to a network DMZ used to isolate sacrificial servers). Log and review traffic that traverses the internal firewalls to the externally-accessed systems.
3. Log and audit: Maintain and review logs of external access. Unexpected access may turn out to be a false alarm, but check and verify.
4. Regularly review: Business partners come and go, and their IT needs may change over time. Restrict or revoke access as necessary.