Jim McTague explains in his latest “D.C. Current” column for Barron’s how we all can learn lessons from the recent theft of data about federal government workers.
If malicious hackers can slip undetected into government computers and extract personal data from records of four million bureaucrats and military personnel, then it stands to reason that the financial accounts of you, me, and the millionaire next door are easy pickings. Fortunately, we can better protect ourselves with some commonsense changes to personal identifiers. It wouldn’t hurt occasionally to print out account statements; no one but the forester has figured out how to hack into wood pulp.
The hack attack against the Office of Personnel Management, which was discovered in April, was the largest, most damaging penetration yet of a federal database. It was so colossal that reporters tried to badger White House press spokesman Josh Earnest into labeling it an act of war. The bad actor behind the digital heist has not been formally identified, but experts say the modus operandi points to the serial hacking by the People’s Republic of China.
The OPM had been criticized in November by its own inspector general for lax computer security. An operation by the Department of Homeland Security to shore up data protection discovered an Internet protocol address no security expert had ever seen. That address was copied into a government security program named Einstein 2, which then scanned OPM’s databases and discovered the same mysterious IP address in personnel files. Einstein also found that massive amounts of data had been copied and extracted.
A NEWER VERSION of the software, Einstein 3-A, is being rolled out to block hackers at the front gate. But like Einstein 1 and Einstein 2, Einstein 3-A will only recognize IP addresses and malware that have been fed into its memory. Therefore, the feds need more intel sharing on hacking incidents from all government departments and the private sector. …
… What can you do to protect yourself? Don’t use your name, e-mail address, or other personal information as a user name in your accounts, advises Harry Fox, executive vice president of operational support services for CareFirst BlueCross BlueShield. Hackers stole information on over one million of its customers last year. Most of us use the same user ID for all of our accounts because we want something easy to remember. I’m guilty as charged.