Vulnerability Forces OPM to Pull Background Check System Offline

OPM

The Office of Personnel Management announced yesterday that it is temporarily suspending the system it uses to conduct government background checks.

The Office of Personnel Management — already deep in the throes of a breach that may implicate upwards to 18 million government employees — announced yesterday that it is temporarily suspending the system it uses to conduct government background checks.

According to the OPM, the shuttering of the system known as E-QIP, or Electronic Questionnaires for Investigations Processing, comes after a vulnerability was found in the web-based platform while it was being reviewed. The system, which is used primarily to complete and submit background investigation forms, could remain offline for “security enhancements” for up to six weeks.

E-QIP is an automated system used by government agencies to transmit sensitive information of prospective job applicants during background checks for “security, suitability, fitness and credentialing purposes,” according to a description on OPM’s site. Up to 90 percent of government background checks, more than two million a year, including those carried out by the FBI, the Navy, and the Department of Agriculture, rely on E-QIP.

The OPM claims it will come up with “alternative approaches to address agencies’ requirements,” until it can get E-QIP back online.

OPM Director Katherine Archuleta disclosed the E-QIP news via a press release on Monday and insisted the vulnerability wasn’t the result of malicious activity and that there isn’t any evidence the hole had been exploited.

“This proactive, temporary suspension of the e-QIP system will ensure our network is as secure as possible for the sensitive data with which OPM is entrusted,” Archuleta said.

Archuleta wouldn’t make a connection between this vulnerability and the one that reportedly led to the exposure of up to 18 million current and former individuals that was announced earlier this month.

Information leaked in that incident, made public June 4, reportedly includes Social Security numbers and government workers’ dates of birth, along with employee performance records, employment history, employment benefits, resumes, school transcripts, and any military service documentation.

OPM became aware of the breach in April and is still in the midst of sending notifications to the four million individuals who may have been compromised. CNN reported last week that FBI Director James Comey has speculated during closed-door meetings with senators that the number of those affected may ultimately hover in the 18 million range.

The E-QIP news comes on the same day that a federal employees’ union filed a class action lawsuit (.PDF) against OPM, calling the agency negligent when it comes to securing personal data.

The American Federation of Government Employees (AFGE) – the nation’s largest federal employee union – is suing the office but also names Archuleta and its CIO Donna Seymour as well. The 69-page document alleges that the OPM has been aware of “significant deficiencies in its cyber security protocol” since at least 2007 and despite handling a wealth of confidential information, has failed to address them.

“AFGE will not sit idly by while OPM fails to comply with the most basic requests for information or provide an adequate response,” the AFGE said in a statement accompanying the lawsuit, “Even after this historic security breach, OPM has continued to use poor data security practices and inferior private-sector strategies to solve its security woes.”

The lawsuit also names Keypoint Government Solutions, the Colorado-based firm that the OPM hired to handle government background checks in December 2014 as a defendant. Archuleta blamed the misuse of a KeyPoint user credential as the source of the breach last week. KeyPoint has countered that there’s no direct evidence the company was responsible or involved in the breach.

Suggested articles

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.