AP reports:
The federal personnel agency whose records were plundered by hackers linked to China announced on Monday the temporary shutdown of a massive database used to update and store background investigation records after newly discovering a flaw that left the system vulnerable to additional breaches.
There is no evidence the vulnerability has been exploited by hackers, agency spokesman Samuel Schumach said in a statement, adding that the Office of Personnel Management took the step protectively. He said the system could be shut down for four to six weeks.
Read more on NBC.
This is an epic fail.
In one breath they say they have no evidence the data was accessed. Then with the other hand, they shut down the database. nothing like the stereotypical circus clown mentality of the administration. There is lack of expertise, at a minimum.
IMO, there is little confidence that the hacks – if you want to call them that – can be stopped by the staff. Its ludicrous. Who ever got in, probably did so by some knucklehead using password reuse. With all the account data out there, if you use your password(s) in more than one location, you are subject to being a victim.
Some IT people with elevated privileges simply do not think- nor do they appear to care about their immediate job functions and responsibilities. They slap in an easy to remember user/password and go on about their business. If there is a policy violation or an issue, most will not show the initiative to make it right – let alone fix it.
Security is a garbled mess in most organizations. Most never check to see if the people who have access have permanently left the building. Most of these issues have been around for decades – through migrations and no one appears to have the time – not the due care to solve the issues. There are handfuls of USEFUL, secure tools to accelerate the security of a network. But, again, it depends on the staff, their abilities and desire to make it work. Some rather surf all day and post on their favorite social media sites to get paid.