USAJobs hacking raises further security questions

For the second time in 17 months, the federal jobs portal has been hacked. And the attack appears to be similar to the one that happened in Aug. 2007 when hackers stole data from about 8 percent of the more than 2 million job seekers on USAJobs.gov.

The Office of Personnel Management issued a statement Jan. 26 detailing the problem. In a press release, OPM says “[T] he Monster database was illegally accessed and certain contact and account data were taken, including user IDs and passwords, e-mail addresses, names, phone numbers and some basic demographic data. The information accessed does not include resumes. The accessed information does not include – sensitive data such as social security numbers or personal financial data.”

The reccurring success of hackers getting into the Monster database causes some concern among security experts.

Glenn Schlarman, who spent more than 25 years working on cybersecurity issues for the Office of Management and Budget and the FBI, says there have been questions around vendor cybersecurity for some time.

“Most of us believed for a long time that industry was better than government,” says Schlarman, who now works with Good Harbor Consulting. “I’ve long since given up on that theory. I don’t believe they are any better than the government.”

Schlarman, who retired in 2006, says in the past OMB was uneasy about the security of USAJobs.gov.

“The question always in my mind is OPM’s inspector general really performing the due diligence that the law requires them to perform,” he says. “I have to question that because this is the second breach that we know of, but because we don’t know if anyone is conducting independent evaluations that the law requires we don’t know this is only the second time.”

The Federal Information Security Management Act (FISMA) requires agencies to make sure vendor systems that hold federal data or are connected to federal systems meet all the cybersecurity requirements. The law places the onus on the IGs to audit these vendor systems.

The OPM IG says in its semi-annual report to Congress for 2008 that it audited the security of USAJobs.gov Sept. 5. But it is unclear whether this includes Monster’s security.

An OPM spokesman was looking into whether the IG’s audit included Monster’s systems.

Monster spokeswoman Nikki Richardson says, “No company in our business can completely prevent unauthorized access to data. Monster’s Web site is designed as a search resource for our customers, and we need to balance that service with the need to provide the best practical security features we can.”

Richardson says the company does not comment on its security measures.

“We take this, and any incursion, extremely seriously,” she says. “Immediately, upon learning about this, Monster initiated an investigation and took corrective steps. The company continually monitors for any illicit use of information from our database, and so far, we have not detected the misuse of this information.”

The biggest risk federal job seekers face is phishing attacks and OPM suggested USAjobs.gov users change their passwords next time they use the portal.

via Federal News Radio 1500 AM: USAJobs hacking raises further security questions.