OPM posts alert on USAJobs
Experts assessing fallout from USAJobs breach warn users to beware of scams
- By Richard W. Walker
- Sep 21, 2007
Office of Personnel Management officials say they are confident they can protect the personal information of job seekers on its USAJobs Web site, despite a recent malware attack on the sites résumé database. OPM officials did not disclose specific steps the agency has taken to safeguard the data. The database runs on servers at career site company Monster.com.
In late August, OPM notified about 5 million USA-Jobs registered users of a data breach and warned users on the site not to provide personal information by responding to unsolicited e-mail messages. Those messages could be from phishing e-mailers bad guys who send e-mail messages that appear to be from a legitimate agency or company to trick unsuspecting victims into disclosing personal information.
OPM reported on Aug. 29 that phishing e-mailers had gained unauthorized access to personal information stored in Monster.coms résumé database. The phishers obtained contact information, including names, e-mail addresses and telephone numbers of 146,000 USAJobs subscribers but no Social Security or bank account numbers, OPM said.
For example, if they know that this particular person applied for a job at a particular agency, they could fake a response from that agency. Johannes Ullrich, SANS Institute
A security expert offered partially reassuring advice to people whose names were stolen from the résumé database. Johannes Ullrich, director of the Internet Storm Center at the SANS Institute, a security training and research company, said the information the phishers took was insufficient for identity theft.
Typically, you dont have Social Security numbers on Monster.com, Ullrich said. But the biggest danger is that the information they gathered can be used for more targeted attacks. For example, if they know that this particular person applied for a job at a particular agency, they could fake a response from that agency. The user then is more willing to do things like open attachments that may come with that e-mail. E-mail attachments can contain harmful software.
The attack compromised the contact information of about 1.3 million Monster.com job seekers, Monster said in a statement Aug. 23. The stolen data was found on a rogue server, and the company shut down the server as part of an investigation of malicious software identified as Infostealer.Monstres, Monster officials said.
Monster apparently didnt know about the rogue server until Symantec researchers discovered it Aug. 17. In a blog posted on Symantecs Web site, Amando Hidalgo, a Symantec security analyst, said he and his colleagues found that Infostealer. Monstres was uploading Monster.com data to a remote server in Ukraine. They found more than 1.6 million entries with personal data belonging to several hundred thousand people and informed Monster, Hidalgo said.
Asked about Monsters ability to protect personal data of USAJobs subscribers, OPM said in an e-mail response that the Monster teams work is closely coordinated with OPM and the USA-Jobs program office. The information has been and will continue to be safeguarded by standards promulgated by the Office of Management and Budget and the National Institute of Standards and Technology.
OPM first learned of a problem July 20, when a Transportation Department employee reported a bogus e-mail message from USA-Jobs that appeared to be a phishing scam. DOT contacted OPM, which then notified Monster, OPM officials said. OPM immediately posted anti-phishing notices on USAJobs.
OPM officials said DOT also notified the Homeland Security Departments U.S. Computer Emergency Readiness Team, as OMB requires.
Monster initiated timely actions to fix the vulnerability detected in the system, OPM officials said.