OPM posts alert on USAJobs

Experts assessing fallout from USAJobs breach warn users to beware of scams

Large databases make attractive targets

Multiple Web sites that share the same back-end database, such as Monster.com’s résumé database, run a compounded risk of being breached by hackers, said Johannes Ullrich, director of the Internet Storm Center at the SANS Institute.

“If one of them gets compromised, they all get compromised,” he said, adding that one small breach can escalate into a much larger problem.

Résumés belonging to nearly 150,000 registered users of the Office of Personnel Management’s USAJobs Web site, which was breached by e-mail phishers this summer, are among millions on career site Monster.com’s résumé database.

“We don’t know exactly who got the information, but it looks like they got the USAJobs information unintentionally,” Ullrich said.

— Richard W. Walker


Find a link to the Symantec blog that discusses the malware Infostealer.Monstres on FCW.com’s Download at www.fcw.com/download.

Office of Personnel Management officials say they are confident they can protect the personal information of job seekers on its USAJobs Web site, despite a recent malware attack on the site’s résumé database. OPM officials did not disclose specific steps the agency has taken to safeguard the data. The database runs on servers at career site company Monster.com.

In late August, OPM notified about 5 million USA-Jobs registered users of a data breach and warned users on the site not to provide personal information by responding to unsolicited e-mail messages. Those messages could be from phishing e-mailers — bad guys who send e-mail messages that appear to be from a legitimate agency or company to trick unsuspecting victims into disclosing personal information.

OPM reported on Aug. 29 that phishing e-mailers had gained unauthorized access to personal information stored in Monster.com’s résumé database. The phishers obtained contact information, including names, e-mail addresses and telephone numbers of 146,000 USAJobs subscribers but no Social Security or bank account numbers, OPM said.

“For example, if they know that this particular person applied for a job at a particular agency, they could fake a response from that agency.” Johannes Ullrich, SANS Institute

A security expert offered partially reassuring advice to people whose names were stolen from the résumé database. Johannes Ullrich, director of the Internet Storm Center at the SANS Institute, a security training and research company, said the information the phishers took was insufficient for identity theft.

“Typically, you don’t have Social Security numbers on Monster.com,” Ullrich said. “But the biggest danger is that the information they gathered can be used for more targeted attacks. For example, if they know that this particular person applied for a job at a particular agency, they could fake a response from that agency. The user then is more willing to do things like open attachments that may come with that e-mail.” E-mail attachments can contain harmful software.

The attack compromised the contact information of about 1.3 million Monster.com job seekers, Monster said in a statement Aug. 23. The stolen data was found on a rogue server, and the company shut down the server as part of an investigation of malicious software identified as Infostealer.Monstres, Monster officials said.

Monster apparently didn’t know about the rogue server until Symantec researchers discovered it Aug. 17. In a blog posted on Symantec’s Web site, Amando Hidalgo, a Symantec security analyst, said he and his colleagues found that Infostealer. Monstres was uploading Monster.com data to a remote server in Ukraine. They found more than 1.6 million entries with personal data belonging to several hundred thousand people and informed Monster, Hidalgo said.

Asked about Monster’s ability to protect personal data of USAJobs subscribers, OPM said in an e-mail response that “the Monster team’s work is closely coordinated with OPM and the USA-Jobs program office. The information has been and will continue to be safeguarded by” standards promulgated by the Office of Management and Budget and the National Institute of Standards and Technology.

OPM first learned of a problem July 20, when a Transportation Department employee reported a bogus e-mail message from USA-Jobs that appeared to be a phishing scam. DOT contacted OPM, which then notified Monster, OPM officials said. OPM immediately posted anti-phishing notices on USAJobs.

OPM officials said DOT also notified the Homeland Security Department’s U.S. Computer Emergency Readiness Team, as OMB requires.

Monster initiated timely actions to fix the vulnerability detected in the system, OPM officials said.

The Fed 100

Save the date for 28th annual Federal 100 Awards Gala.


  • computer network

    How Einstein changes the way government does business

    The Department of Commerce is revising its confidentiality agreement for statistical data survey respondents to reflect the fact that the Department of Homeland Security could see some of that data if it is captured by the Einstein system.

  • Defense Secretary Jim Mattis. Army photo by Monica King. Jan. 26, 2017.

    Mattis mulls consolidation in IT, cyber

    In a Feb. 17 memo, Defense Secretary Jim Mattis told senior leadership to establish teams to look for duplication across the armed services in business operations, including in IT and cybersecurity.

  • Image from Shutterstock.com

    DHS vague on rules for election aid, say states

    State election officials had more questions than answers after a Department of Homeland Security presentation on the designation of election systems as critical U.S. infrastructure.

  • Org Chart Stock Art - Shutterstock

    How the hiring freeze targets millennials

    The government desperately needs younger talent to replace an aging workforce, and experts say that a freeze on hiring doesn't help.

  • Shutterstock image: healthcare digital interface.

    VA moves ahead with homegrown scheduling IT

    The Department of Veterans Affairs will test an internally developed scheduling module at primary care sites nationwide to see if it's ready to service the entire agency.

  • Shutterstock images (honglouwawa & 0beron): Bitcoin image overlay replaced with a dollar sign on a hardware circuit.

    MGT Act poised for a comeback

    After missing in the last Congress, drafters of a bill to encourage cloud adoption are looking for a new plan.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group