Understanding the U.S. Government Hacks

U.S. Government Hacks

The last few weeks brought bad news for government data security, resulting in frequent U.S. Government hacks . On May 26, the IRS announced that hackers had compromised the online accounts of around 100,000 American taxpayers.

And on June 4 came news of a separate hack, this time at the Office of Personnel Management, the human resources department for the Federal government. In this case, hackers stole the records of 4 million current and former U.S. government employees. These included Social Security numbers and other personal information, and security clearance information.

How were the attacks carried out?

In the IRS hack and other govenment hacks, the hackers came through the front door, not the back. They had previously obtained personal details of hundreds of thousands of American taxpayers from a separate source. Between February and May 2015, those details were used to seek access to about 200,000 records in the IRS Get Transcript database (currently down).

About half these attempts were successful, and with the information obtained, the hackers were able to file fraudulent tax returns and steal some $50 million in refunds. One disturbing aspect of the IRS hack is the apparent ease with which the hackers were able to obtain information, supposedly known only to the taxpayer, in respect of so many individuals.

How the OPM attack was carried out is less clear. Ars Technica reports that the initial compromise was probably through an email phishing attack. However, OPM’s historically poor cybersecurity—a lack of internal IT staff, multi-factor authentication, and a comprehensive inventory of networks and servers—probably made things worse. An upgrade to government anti-intrusion software finally allowed the attack to be detected in April 2014.

As with the Anthem and Target hacks, failure to encrypt personal identifying information was a factor in allowing its theft.

Even the OPM attack may not have been especially sophisticated. “The Chinese in particular are cleaning us out because we know we’re supposed to do these simple things and yet we don’t do them. Most Chinese cyber intrusions are through well-known vulnerabilities that could be fixed with patches already developed,” Stephanie O’Sullivan, deputy to the Director of National Intelligence, said in April.

IRS systems are in an even worse state: “we still have applications that were running when John F. Kennedy was President,” said the head of the IRS in February.

Who carried out the attacks and why?

The IRS hack is believed to have been carried out by Russians, although hackers in other countries may have been involved. The primary motivation seems to have been money. The hackers didn’t attempt to obtain additional information that might be useful for espionage or for further intrusions.

The OPM hack is less clear in its purpose. Some experts believe the hack is most likely to be the work of private criminals, since the information gained is valuable for identity theft but not obviously useful to spies.

Other experts note similarities between the methods used in the OPM attack with the same Chinese government-sponsored group that is believed to have hacked two health insurers, noting that data from those attacks hasn’t yet been used for criminal activities. That suggests the data is being compiled for other purposes, like facilitating future cyberattacks and further acts of espionage.

What is the government going to do about it?


The Internal Revenue Service is sending letters this week to about 200,000 taxpayers to notify them that hackers attempted to access certain IRS accounts—which will come as little comfort to the affected. The OPM is beginning to contact government employees by email.

Otherwise, the government will continue to struggle with these attacks, for the simple reason that protecting and upgrading sprawling government networks is expensive, and budgets continue to be cut. The IRS is having difficulty competing with the private sector to attract top security talent. While many billions of attacks are thwarted every month, it only takes one to get through. Without an easy solution, U.S. policy is shifting towards an increased willingness to retaliate with cyberattacks of its own.

For those concerned that even the government can’t prevent these attacks, there is some comfort in knowing that hacks almost always exploit preventable vulnerabilities—particularly in payment security. Verizon’s 2013 Data Breach Investigation report found that 68% of cyberattacks were low-skill, requiring only basic tools. Another 10% were so simple the average user could have carried them out.

E-Complish takes payment security extremely seriously, maintaining Level 1 PCI Compliance to protect customer payment card security. For more about PCI Compliance and payment security, request a consultation or view our infographic.