6. No big deal?

The OMB made a big deal of one incident involving a bad actor gaining access to the login credentials of just one employee for just 15 hours — maybe because that person worked for the Office of the Inspector General (OIG), which has full access to all records and materials available to the Treasury Department, determines which of them to audit or investigate, and writes the reports. Due to the OIG’s defense in depth, the nation-state sponsored actor behind the attack was unable to access any information resources nor introduce any malware during the time they had access. The Treasury Department updated its multi-factor authentication policies, validated software configurations, and subjected staff to awareness training to prevent a reoccurrence.

7. Zero-day survey

The US Office of Personnel Management (OPM) reported a major incident involving a zero-day vulnerability in a file transfer application — likely the MOVEit hack, although it was not explicitly named — used by a contractor supporting the Federal Employee Viewpoint Survey (FEVS). The breach compromised government email addresses, unique survey links, and OPM tracking codes for about 632,000 employees at the Departments of Justice and Defense. In response, OPM stopped transferring FEVS data to the contractor, deactivated the survey links, assessed the harm, and notified affected individuals. The assessment found no evidence of unauthorized access or manipulation of survey results.

8. CFPB reinforces loss prevention

A Consumer Financial Protection Bureau employee — no longer with the agency, naturally — sent to their personal email account 14 emails containing personal information and two spreadsheets with details of around 256,000 customers of one single financial institution. The former employee ignored demands from CFPB to delete the emails and send proof of deletion. The official assessment indicated the data couldn’t be used for account access or identity theft, but some affected individuals were notified just in case. In addition, the CFPB strengthened technical controls to prevent inadvertent breaches, reminded all staff and contractors of its privacy policies, and reviewed all its information management procedures.