Huge government data breach ‘inexcusable,’ security experts say

The huge data breach that may have compromised the personal data of at least 4 million current and former federal employees could have been avoided with better use of data protection technologies such as encryption, security experts say.

Hackers based in China are suspected to be behind the breach, which compromised data from the Office of Personnel Management (OPM) and the Interior Department. If confirmed, the incident would be the second major breach by Beijing in less than a year. However, a spokesman for the Chinese Embassy in Washington called such accusations "not responsible and counterproductive."

Security specialists have voiced their concern that critical government systems could suffer a breach on this scale.

“It's inexcusable for a government agency to allow a data breach like this to occur,” said Suni Munshani, CEO of data security software specialist Protegrity, in a statement emailed to “The names and personal information of our government employees is a vital asset to our country and should not be allowed to get in the hands of a foreign government.”

From government agencies to private companies, all organizations need to provide data-level protection, according to Munshani. “It's no longer acceptable to just focus on the perimeter,” he explained. “The data itself needs to be protected at a granular level.”

The Department of Homeland Security (DHS) issued a statement confirming the breach Thursday, saying that it had concluded at the beginning of May that data from the Office of Personnel Management (OPM) and the Interior Department had been compromised.

Further underlining the vulnerability of U.S. government systems, the attack comes hot on the heels of a major IRS security breach that compromised tax information from more than 100,000 U.S. households.

“From taxpayer to federal employee information, federal departments and agencies are gold mines for intruders,” warned Bob West, chief trust officer at cloud security specialist CipherCloud, in a statement emailed to “Had agencies encrypted the information that was breached, the fallout would not have been as severe. In the case of the IRS, it had been warned multiple times that its security practices were dated.”

West also cited the recently discovered LogJam Internet security flaw as further evidence that government must tighten its data controls. “We need to strengthen how information is protected, not weaken the controls we use,” he said. “When we weaken security, we hurt ourselves both politically and economically.”

DHS said its intrusion detection system, known as EINSTEIN, which screens federal Internet traffic to identify potential cyber threats, identified the hack of OPM's systems and the Interior Department's data center, which is shared by other federal agencies.

It was unclear why the EINSTEIN system didn't detect the breach until after so many records had been copied and removed.

Fox News has also learned through cyber-intelligence firm iSight Partners that the malware signatures attached to the OPM data breach link the attack to the same cyber espionage group that is responsible for penetrating the Anthem health insurance network.

While iSight couldn't directly attribute this attack to China, analysis of the Anthem attack has led investigators to believe it's the work of Chinese hackers.

Technology analyst Roger Kay of Endpoint Technologies told that he was not surprised by the latest breach, citing the challenges involved in protecting vast government networks. “There are ways to protect against this stuff, but it’s extremely difficult,” he said, noting that the tiniest defect or vulnerability across many thousands of networks can let in the bad guys.

Kay also pointed to the financial constraints that government faces when it comes to cybersecurity. “Nothing is going to get fixed unless they put some money on this,” he said.

In addition to encryption, technologies such as ‘tokenization’ are available to protect data. Tokenization, which is touted by Protegrity, effectively ‘masks’ sensitive data with replacement values that hold no value to a potential thief.

Follow James Rogers on Twitter @jamesjrogers

The Associated Press contributed to this report.