Just last week, we found out about a massive hack that put the data of every government employee at risk. Now, it turns out the government knew that the Office of Personnel Management's system was vulnerable long before the attack occurred.
Last summer, the Office of Personnel Management inspector general reported that the agency's computer network was extremely vulnerable to hackers.
The agency did not possess an inventory of all the computer servers and devices with access to its networks, and did not require anyone gaining access to information from the outside to use the kind of basic authentication techniques that most Americans use for online banking.
Chinese hackers managed to breach the network before the inspector general's report was published in November. The government then began updating security, but that wasn't enough to stop this massive data breach from beginning in December.
The hackers behind this breach are believed to be the same group responsible for attacks against healthcare companies Anthem and Primera.
The inspector general's report found several huge security holes in the Office of Personnel Management's network. It said that two systems used by the Federal Investigative Service had massive security flaws. The report recommended shutting the systems down, but that didn't happen because of a backlog of security clearances. And, that's not all.
It did not regularly scan for vulnerabilities in the system, and found that 11 of the 47 computer systems that were supposed to be certified as safe for use last year were not “operating with a valid authorization.”
The Office of Personnel Management also didn't use multifactor authentication to verify user identities. Multifactor authentication is a security measure used by banks and other companies that do business online. It sends you a text message, phone call or email with a one-time-use code every time you try to log into your account.
The Office of Personnel Management is now in the process of adding two-factor authentication to its network.