The U.S. Office of Personnel Management (OPM) did not follow rudimentary cyber security recommendations that could have mitigated or even prevented major attacks that compromised sensitive data belonging to more than 22 million people, a congressional panel investigation released on September 7, 2016.
According to news reports, it seems the epic data breach at the OPM, which exposed background investigations and fingerprint data on millions (yes millions and millions and millions!) of Americans, was the result of a series of cybersecurity mistakes, including use of outdated technology.
- Every person given a government background check for the last 15 years was probably affected, according to the OPM itself. These people were not necessarily current or former government employees.
- According to the New York Times, the agency said hackers stole sensitive information, including addresses, health and financial history, and other private details, people who had been subjected to a government background check, as well as others, including their spouses and friends.
- According to NBC News, the congressional investigation faulted OPM, which manages employment matters for the federal government, including background checks for most agencies, for not moving fast enough to address early signs of a data attack - a delay that may have allowed hackers to siphon reams of personnel data.
Personally Identifiable Information (PII) is information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth and mother’s maiden name.
For businesses today, protecting customer data such as credit card information, log-in credentials, and other personally identifiable information is one of the top priorities for both security and risk leaders, as well as business leaders.
A breach of customer information could result in the organization’s loss of public trust, legal liability and significant cost to remedy damages. While it is best practice for organizations to limit the use, collection, and retention of PII to only what is absolutely required for business purposes, oftentimes it is not known exactly what information is stored and where it is located to effectively manage it and ensure its protection.