Jeff Hill, Channel Marketing Manager, STEALTHbits says: "Public details of the OPM breach are sparse. We don’t know how long the attackers operated on the OPM network undetected. We don’t know the means of initial infiltration. However, that the Government is revising its damage estimates yet again implies the extent to which sensitive data was exposed is still unclear, a troubling development further suggesting the time between initial breach and detection was substantial. It takes time to compromise privileged credentials, find the sensitive personnel data those credentials have access to, and exfiltrate millions of records without attracting attention. Few in the data security world would be surprised if we eventually learn the bad actors operated with relative impunity on the OPM network for a timeframe measured in months, if not years."
Giovanni Vigna, CTO of Lastline adds: “This clearly exemplifies the weaknesses of some kinds of biometrics. Biometrics are based on what a person “is”, instead what a person “knows” or “has” (which are the basis for traditional security systems). If the secret on which the biometric system is based is disclosed, it cannot easily be changed, because it is directly related to the body of a person. Changing your fingerprints can be a painful proposition, especially as these breaches become more common (yes, it’s a joke)…”