US Government's HR Department Has Been Hacked, Government Employee Data Leaked

from the if-you-can't-clean-up-your-own-home... dept

The US government keeps insisting that companies should be giving it information in order to help the government block “cybersecurity” attacks on those companies. In fact, as just reported, the NSA is already scooping up tons of information in trying to spot malicious attacks ahead of time, despite insisting in the past that it wasn’t doing this. However, before everyone starts handing over information to the federal government, shouldn’t we have some sort of evidence that the US government itself actually has some decent cybersecurity skills?

Because it appears that, yet again, there has been a massive data breach, and this time, it’s the US government’s Office of Personnel Management (OPM), which is basically the HR department for the entire federal government. In other words, hackers may have gotten access to the personal information on tons of current and former government employees:

The agency said that in April of 2015 it had identified ?a cybersecurity incident potentially affecting personnel data for current and former federal employees, including personally identifiable information,? although the breach is only being disclosed now. OPM alsos said that it will notify around 4 million people whose personal information ?may have been compromised??although the number is likely to grow since the investigation is ongoing.

Taking the same idiotic, symbolic but pointless, response as the private sector every time there’s a breach, the OPM is promising a some free credit reporting:

To protect employees from identity theft, OPM is giving them free ?credit report access, credit monitoring and identify theft insurance and recovery services,? according to the press release.

?Protecting our Federal employee data from malicious cyber incidents is of the highest priority at OPM,? OPM Director Katherine Archuleta said in a statement.

Actually, that last statement does not appear to be true. As the report at Vice’s Motherboard (linked above) notes, this is the second time in less than a year that this happened, and last time it was determined to be Chinese hackers who broke in — and that’s who is suspected again this time. In which case, “free credit reporting” services are likely to be totally useless. It’s quite likely that whoever hacked in wasn’t doing it to do identity fraud and swipe credit card numbers, but to get useful information for additional, more sophisticated hacks to get access to various government employees’ computers and networks.

So, yeah, if the US government can’t even protect its own systems against these hacks, can someone explain why, again, we’re expected to have companies hand over their own information under the false belief that the government will somehow protect them against attacks as well?

Filed Under: , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “US Government's HR Department Has Been Hacked, Government Employee Data Leaked”

Subscribe: RSS Leave a comment
Former Fed says:

Re: Re:

If OPM is like most other federal agencies, nearly all the IT work is contracted out. The contracting companies’ goal is to deliver as little as possible while charging as much as they can get away with. The COTRs – the feds responsible for monitoring the contractors’ performance – often don’t have the skills or the “junk yard dog” attitude needed to do a good job.

Anonymous Coward says:

Re: Re: If they used that "Dark" encryption ...

My question is *when* the NSA is hacked, are they going to give the entire world free credit monitoring?

First, you cannot hack No Such Agency because it does not exist. But if it did get hacked anyway, they could of course provide free credit monitoring to the world, because they are already monitoring everyone’s credit for their own nefarious ends. CC’ing you on their monitoring would be comparatively cheap, and probably a lot cheaper than buying everyone a credit monitoring package from the commercial bureaus.

Anonymous Coward says:

Re: Re: If they used that "Dark" encryption ...

Maybe that’s the precursor…first they let themselves get hacked, then they offer the entire planet free credit monitoring. The data from the credit monitoring agencies goes straight to the NSA.

Boom! We’re totally safe & secure now!

Unless they get hacked again, then they have to repeat the offer…oh, wait.

Anonymous Coward says:

I still can’t wrap my head around the fact that the government seems to be both “pro-cybersecurity” and “anti-encryption” at the same time.

Do those morons not realize that the two policies are incompatible? To get strong cybersecurity you need strong encryption and spy and hacking-proof systems…so why the hell are they still pushing for easy-to-spy and easy-to-hack systems in the media then?!

Anonymous Coward says:

It seems everything is hooked to the internet these days

You gotta love the mindset that if there is a computer lying around, it has to be hooked to the internet. There are all kinds of security mechanisms to keep people from getting to systems they shouldn’t get to. Some systems should not even be hooked to the internet. Just wait until the internet of things really takes hold and hackers start controlling houses, cars and anything else that isn’t nailed down. We need to get a handle on security now as it is nearly impossible to secure things after the fact.

Anonymous Coward says:

Re: Re:

This is the government we are talking here. Odds are the payroll data includes things like, CIA operative in Iraq as the job title. So if you remove everything identifiable, you probably are only left with people that are on the payroll due to system bugs, or because they had already hacked the payroll system to add themselves to it.

Oblate (profile) says:

"Identity theft protection"

They’re offering affected employees identity theft protection- for 18 months. Why 18 months, do they think the hackers will give the information back by then? I wonder why they weren’t as concerned about protecting employees information when they were designing their IT systems. The only logic I can see behind the 18 month span is that it’s likely to last until the next major breach (and another 18 month protection plan).

Nate (profile) says:

Re: "Identity theft protection"

Does that mean 18 months identity theft protection on top of the other two offers of 18 month identity theft protection?

I ask because I have letters dated 3 September and 22 March which detail two previous hacks (say the word and I will scan and post them).

So is the identity theft protection offered concurrently or consecutively, do you think?

Anonymous Anonymous Coward says:

Re: Re: "Identity theft protection"

Bah, don’t you realize that you will be required to identify which breech your identity theft came from before any identity theft protection plan will be enforced? You have a 1 in 3 chance of being right (start flipping coins), now, the next breech will make it 1 in 4.

Oh, and make sure you use the correct government issued breech identifier [Classified info, as you well know] when referring to breeches so that there are no mistakes because dates won’t work as the breeches were all ‘over a period of time’ which might include days, weeks, or months depending on your perspective.

Anonymous Coward says:

Re: Maybe read the entire article first

Maybe it’s just a way to transfer money to the credit reporting agencies. Monitoring is not cheap for four million customers. Since the big three have taken it upon themselves to collect all of this data on consumers, perhaps they should have an obligation to make credit freezes and monitoring free.

Anonymous Coward says:

Multiple the numbers by 4-5. Security clearance application data requires some personal information of family and friends of those applying for clearances. If that database was hacked then this isn’t just about federal employees.

Will the government be offering credit “protection” for those people too?

Anonymous Coward says:

I haven't been notified yet

My information is one of those that would have been stolen from the OMB. I have not received any notification that I will be receiving free monitoring.

According to some reports that I have seen, the hackers could wait years to use this information. I guess the Gov’t owes me perpetual credit monitoring…..

Anonymous Coward says:

4 months undetected

I just heard that the hack went four months without being detected.

The Australians (I think the Defence Department) used the top 4 strategies to stop hackers. They did get in, but got no information. The top 3 that I remember were:

1. Whitelisting
2. Frequent OS patching
3. Frequent application patching

Anonymous Coward says:

It’s genius.

The data sharing with companies will reduce attacks on the companies. The government collects loads of data from companies, puts it in a huge, poorly protected database and makes a big target for hackers. Why would the hackers bother attacking the companies with that there instead? So at a stroke, the risk of the companies getting hacked goes to zero.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...