Monday, June 22, 2015

OPM Breaches Go Back to 2012 and 2013

The Office of Personnel Management's troubles extend even further back than the current reported 2014-2015 timeline according to a 2013 Office of the Inspector General audit report on OPM's use of Serena Business Management software. The system was hacked in May, 2012 and March 2013 and sensitive data was lost (p.ii of the Executive Summary).

Appendix II of the above-referenced 2013 report contains a copy of the FLASH Audit Alert to the OPM, which states:
"In May 2012, a malicious hacker successfully breached OPM's Serena Business Manager system (Serena, formerly known as TeamTrack). The system was briefly taken down by OPM's Office of the Chief Information Officer (OCIO), but was quickly restored and made available on the public Internet." 
"Over the past year. the a CID 's Network Security Branch has conducted vulnerability scans that detected security flaws in the Serena system. However. it appears that no action was taken by the system administrators to address these issues, as another application on the Serena platform was hacked in March 2013. 
After both security breaches. the hackers boasted on the Internet about compromising a government computer system. leading to embarrassing publicity for OPM."
According to the company, Serena Business Software has been used by OPM for automating process solutions for background checks, FOIA requests, health and compliance issues, etc.

No comments:

Post a Comment