UNITED STATES OFFICE OF PERSONNEL MANAGEME NT Washington. DC 1041 5 Office of the Inspector General MEMORANDUM FOR JOHN BERRY Director tj;:; FROM: PATRlCK E. McFARLAND a~1~ £f!f:. Inspector General W~ SUBJECT: Breach of Personally Identifiable Information in Retirement Services (Report No. 4A-Rl-OO-12-033) The purpose of this memorandwn is to communicate to you the conclusions resulting from our review of a release of personally identifiable information (PH) that occurred when a contractor for the Retirement Services (RS) program office mailed postcards related to the Federal Employees Health Benefits Program (FEHBP) open season enrollment to Federal government almuitants. Executive Summary Our review indicated that several missing or bypassed infonnation technology (IT) security controls resulted in postcards containing exposed PIl, including Social Security Numbers (SSN). to be printed and mailed through the U.S. Postal Service. In addition, several individuals across multiple U.S. Office of Personnel Management (OPM) organizations did not follow the appropriate procedures for reporting the breach to OPM ' s Situation Room. As a result, we recommend that the Office of the Chief Infonnation Officer (OCIO) strengthen its change management procedures and conduct agency-wide training and awareness campaigns related to incident response and reporting. We also recommend that RS implement a data reconciliation process with its contractor and consider providing free credit monitoring services to every individual whose SSN was printed and mailed. Background OPM contracts with Vangent, Inc. to manage the annual FEHBP open season enrollment process for Federal government annuitants. One of Vangent' s responsibilities is to mail postcards alerting annuitants who have suspended their FEHBP enrollment of the upcoming open season and their eligibility to re-enroll in the program. In Octobe-r 20J 1, Van gent unintentionally printed and mailed approximately 3,000 postcards that contained armuitant ' s SSNs on the cover. www.opm .goy www.usa jobl.gov John Berry 2 Scope and Methodology We conducted interviews with individuals from RS and OCIO and reviewed the information security incident report from OPM’s situation room. Our review was not conducted in accordance with Generally Accepted Government Auditing Standards (GAGAS). The nature and scope of the work performed was consistent with that expected of a GAGAS audit; however, because we consider this to be a review, the documentation, reporting, and quality control standards are not as stringent. Review Results Our review indicated that several missing or bypassed IT security controls allowed the data breach to occur and that several individuals across multiple OPM organizations did not follow the appropriate procedures for reporting the breach to OPM’s situation room. a) Failed security controls that allowed the breach to occur In July 2011, the OCIO sent test data to Vangent to test the creation of the database used to populate the FEHBP open season postcards to be mailed to Federal annuitants. However, Vangent informed the OCIO that there was an error with the test file. In an attempt to fix the problem, an OCIO programmer edited the code that was used to create the test data file. This edit was treated as an “emergency change” and the typical change control process, that requires several levels of approval and testing, was not followed. After the change was complete, the OCIO re-ran the data extract process and delivered a data file to Vangent that was to be used in the production database. Vangent detected that something was still wrong with this file, as many rows of data were rejected by Vangent’s database validity checks. It was also determined that this file inappropriately contained SSNs. As a result, the OCIO implemented a second emergency change in an attempt to fix the file. The extract was run a second time and a second production file was sent to Vangent. It would be determined later that the second production file was still incorrect (it contained far too many rows), but it no longer contained SSNs. Vangent proceeded to update its database with the second production file. However, it never “refreshed” the database to delete the first production file that contained SSNs. As a result, postcards containing clearly exposed SSNs were printed and mailed the week of October 24, 2011. Due to the other errors in the data file, the postcards were mailed to government agencies that have collection accounts for annuitants, and not to the individual’s homes. Although the database contained too many rows of data, these errors were not detected because there is no reconciliation process to verify that the number of rows produced by RS matches the number processed by Vangent. Although a reconciliation process could have alerted Vangent that there were still errors in the database, the original problem was caused by weak change management controls in the OCIO. John Berry 3 Since the code edits were treated as emergency changes, limited testing was done on the changes, and nobody other than the programmer approved the change. The programmer checked the code out of production, made edits, and then delivered it to the mainframe Production Control team to place back into production. Although there is certainly a need for an emergency change process in a programming environment, the process should still require at least one level of managerial approval so that the programmer cannot facilitate the entire process alone. RS estimated that approximately 3,000 postcards containing SSNs were mailed. The majority of the postcards were recovered from the government agencies to which they were mailed, but approximately 650 postcards were not recovered. Free credit monitoring services were offered to those individuals whose information was exposed on the non-recovered postcards, but nothing was offered to those individuals whose information was printed on postcards that were recovered. The mailed postcards were bundled in stacks of about 150 and the only exposed SSN was the postcard on top. Although only one out of every 150 postcards was easily visible, and most of the postcards were recovered, it is impossible to determine how many people had physical access to the trays as they were routed through the print vendor’s facility and the U.S. Postal Service. Recommendation 1 We recommend that the OCIO improve its change management procedures so that emergency changes require management approval prior to being placed into production. Recommendation 2 We recommend that RS develop a reconciliation process with Vangent to ensure that the data files passed between the organizations contain the appropriate quantity of data. Recommendation 3 We recommend that RS reevaluate its decision to not provide credit monitoring services to individuals whose information was printed on postcards that were recovered. b) Timely reporting of the security breach On Saturday, October 29, 2011, an RS staff member received a telephone call from an official at the Eagan, Minnesota post office distribution center to report a large volume of postcards from OPM containing SSNs. The individual that received the call immediately notified a branch chief in the OCIO and a group chief in RS. By the evening of October 30, an OCIO group chief and the Associate Director of RS had also been notified. By the morning of Monday, October 31, OPM’s Chief Information Officer was also aware of the situation. Although multiple people across several OPM program offices were aware of the breach, it was not reported to OPM’s Situation Room until Wednesday, November 2; four days after the incident was first detected. OPM’s Incident Response and Reporting Guide is an agency-wide policy that states “OPM employees and contractors must report any breach or potential breach of PII to the OPM John Berry 4 Situation Room within 30 minutes of becoming aware of the risk – regardless of the time or day of the week.” Although several OCIO and RS employees reported the incident to their direct managers, every person that knew about the event had the responsibility to report it to the Situation Room. We believe that this indicates that OPM employees are not fully aware of the requirements outlined in the Incident Response and Reporting Guide Recommendation 4 We recommend that the OCIO conduct improved agency-wide training and awareness campaigns related to incident response and reporting. cc: Elizabeth A. Montoya Chief of Staff Richard B. Lowe Director, Executive Secretariat and Ombudsman Matthew E. Perry Chief Information Officer Kenneth J. Zawodny, Jr. Associate Director, Retirement Services Director Internal Oversight & Compliance Deputy Director Internal Oversight & Compliance Chief, Policy and Internal Control
Breach of Personally Identifiable Information in Retirement Services
Published by the Office of Personnel Management, Office of Inspector General on 2012-03-13.
Below is a raw (and likely hideous) rendition of the original report. (PDF)