OPM suspends e-QIP to patch a severe security flaw

The OPM announced that it has temporarily suspended its Electronic Questionnaires for Investigations Processing (e-QIP) system to fix a security flaw.

According the results of a security audit conducted after the hack at the US Office of Personnel Management (OPM) the systems of the US Department are affected by a serious vulnerability.

The vulnerable system is the “Electronic Questionnaires for Investigations Processing”, aka e-QIP, according to an official statement from the OPM it will be taken offline for as long as six weeks in order to patch the vulnerability.

“The U.S. Office of Personnel Management today announced the temporary suspension of the E-QIP system, a web-based platform used to complete and submit background investigation forms. ” the OPM’s statement states. “OPM expects e-QIP could be offline for four to six weeks while these security enhancements are implemented. OPM recognizes and regrets the impact on both users and agencies and is committed to resuming this service as soon as it is safe to do so.”

What is the  e-QIP?

e-QIP is a set of Web forms used to conduct background checks for federal security, suitability, fitness and credentialing purposes. It allows to “complete and submit background investment forms”, as explained in the OPM’s statement says.

“Welcome to the Electronic Questionnaires for Investigations Processing (e-QIP) system. e-QIP is a web-based automated system that was designed to facilitate the processing of standard investigative forms used when conducting background investigations for Federal security, suitability, fitness and credentialing purposes. e-QIP allows the user to electronically enter, update and transmit their personal investigative data over a secure internet connection to a requesting agency.” states the official page of the e-QIP.

According to the OPM, the temporary suspension of the e-QIP system is a proactive step taken to improve the security of the organization, and it is not related to the OPM hack.  The investigators have no evidence that the flaw has been exploited since now.

“The security of OPM’s networks remains my top priority as we continue the work outlined in my IT Strategic Plan, including the continuing implementation of modern security controls,”stated OPM Director Katherine Archuleta. “This proactive, temporary suspension of the e-QIP system will ensure our network is as secure as possible for the sensitive data with which OPM is entrusted.”

There is a lot of confusion about the number of people affected by the OPM hack, the original estimate that four million users were affected, but the FBI admitted that at least 10 million people were impacted and some estimates even reach 18 million.

The American Federation of Government Employees (AFGE) has filed a class action lawsuit against the OPM and its executives. The AFGE has highlighted that the audits conducted by the OPM over the past years have revealed the existence of several security issues that “could potentially have national security implications.”

According to the AFGE, the OPM failed to adopt a proper security posture adopting necessary countermeasures.

Pierluigi Paganini

(Security Affairs –OPM, hacking)