Breach of federal jobs site highlights need for contractor liability, security observer says

Agencies should hold contractors liable for security breaches to encourage better protection of sensitive information upfront, said a director at a top computer security training organization in response to this week's breach of the federal government's primary Web site for job postings.

"Outside organizations nearly always run [civilian] sites," as well as many for the Defense Department, said Alan Paller, director of research at the SANS Institute, a Bethesda, Md.-based cybersecurity research and education group. "Even if they don't contract the whole job out, they hire contractors and Internet service providers. What's needed are consequences from the breaches written into contracts so the site puts a much higher priority in making sure this doesn't happen -- again."

The recent online security breach, which involved the Office of Personnel Management's USAJOBS.com site, could result in a spike in targeted phishing attacks, which trick people into revealing sensitive information, such as Social Security numbers, Paller said.

Users with personal accounts on USAJOBS.com, which touts itself as the official one-stop source for federal jobs and employment information and currently has more than 14,000 jobs posted, recently discovered through a security alert posted to the Web site that their personal information was breached. Specifically, user IDs and passwords, e-mail addresses, names, phone numbers and some basic demographic data was obtained. Social Security numbers and personal financial data were not exposed.

A hacker stole the information from a database maintained by technology provider Monster, which also runs the widely used private sector jobs Web site of the same name.

Paller said targeted phishing attacks are the biggest threats posed by the breach. Such attacks tailor spam e-mails to include the victim's personal information, making the intrusion harder to spot.

A similar security breach occurred in July 2008, when job hunters and recruiters were sent e-mails asking them to click a link provided in the message to access their Monster.com accounts and update their profiles. The site was actually a spoof site traced back to a computer in Turkey that was hijacked with malicious software to operate the scam.

Other less likely threats include direct identity theft using the stolen information, and reusing usernames and passwords to attempt access to other online accounts held by the individual, Paller said. Many people reuse login information.

The alert on USAJOBS.com suggested that job seekers immediately change passwords used to log onto the site, a recommendation that eventually could become a requirement for account access.

The alert also noted that Monster would never send any unsolicited e-mails asking for username and password confirmations nor would the company urge users to download any software, tool or access agreement to use USAJOBS.com personal accounts. Users should be wary of fraudulent e-mails that advertise positions in managing financial transactions or cashing checks, which are attempts to engage job seekers in money laundering or bad check scams, the alert warned.

"[OPM] has not received any inquiries or messages from [USAJOBS] users who feel their information has been accessed or used inappropriately," said OPM spokesman Mike Orenstein.

Suspicious e-mails regarding searches on USAJOBS.com should be forwarded to mayday@fedjobs.gov.