US government personnel agency takes system offline after new vulnerability revealed

Problems for the US Office of Personnel Management aren't letting up. The government agency said Monday it had suspended a system used for background checks after a security flaw was discovered in the Web-based app.

Share

The US Office of Personnel Management said there's no evidence the system was hacked. It discovered the vulnerability during an ongoing review of its IT systems, it said, which is being carried out in the wake of at least two serious security breaches.

Still, it's a big inconvenience. The system, called E-QIP, is used by multiple agencies to carry out background checks on potential new hires, and it will be offline for four to six weeks, the OPM said.

"The actions OPM has taken are not the direct result of malicious activity on this network, and there is no evidence that the vulnerability in question has been exploited," the agency said, calling the decision to take E-QIP offline a proactive measure to ensure 'the ongoing security of its network."

The OPM has been hit by at least two major breaches. One, reported earlier this month, is feared to have resulted in the theft of personnel records of millions of current and former government employees.

A second breach was apparently carried out by hackers with connections to China and targeted a database containing copies of a 120-page questionnaire that's used by people seeking a national security clearance.

The Chinese government has denied the accusations.

The OPM, which serves as the government's human resources department and handles functions like hiring and retaining staff and running background checks, now faces legal action from US government staff.

A federal employees union has filed a lawsuit against the U.S. Office of Personnel Management, its leadership and a contractor, alleging that their negligence led to a data breach that compromised the personal information of millions of current, former and prospective government employees and contractors.

Since at least 2007, the OPM has been warned by its Office of Inspector General of significant deficiencies in its cybersecurity protocol, according to the proposed class-action suit filed Monday by the American Federation of Government Employees in the U.S. District Court for the District of Columbia.

However, OPM failed to take measures to correct these issues, despite handling massive amounts of federal applicants' private, sensitive and confidential information, it added. The data handled by the OPM included a 127-page form, called Standard Form 86, which requires applicants for security clearances to answer questions on their financial histories and investment records, children's and relatives' names, foreign trips and contacts with foreign nationals, past residences, and names of neighbors and close friends, according to the filing.

The lawsuit names the OPM, its director, Katherine Archuleta, and its chief information officer, Donna Seymour. Also charged is KeyPoint Government Solutions, a provider of investigative and risk mitigation services to the OPM.