Hack Of Federal Gov't Employee Info Is Much, Much Worse Than Originally Stated: Unencrypted Social Security Numbers Leaked

from the because-that's-how-this-works dept

Over a decade ago, I pointed out that every single time there were reports of big “data leaks” via hacking, a few weeks after the initial report, we would find out that the leak was even worse than originally reported. That maxim has held true over and over again. And, here we go again. Last week, we noted that the US government’s Office of Personnel Management had been hacked, likely by Chinese hackers. And, now, it has come out that the hack was (you guessed it) much worse than originally reported.

The President of the union that represents federal government workers, the American Federation of Government Employees (AFGE) sent a letter to the director of the OPM, claiming that the hackers got away with the Central Personnel Data File, which includes full information on just about everything about that employee — including (get this) unencrypted social security numbers.

Based on the sketchy information OPM has provided, we believe that the Central Personnel Data File was the targeted database, and that the hackers are now in possession of all personnel data for every federal employee, ever federal retiree, and up to one million former federal employees. We believe that hackers have every affected person’s Social Security number(s), military records and veterans’ status information, address, birth date, job and pay history, health insurance, life insurance, and pension information; age, gender, race, union status, and more.

Oh, and then there’s this:

Worst, we believe that Social Security numbers were not encrypted, a cybersecurity failure that is absolutely indefensible and outrageous.

The letter further points out — as we did last week — that the 18 months of credit monitoring the government has offered everyone is a complete joke. It’s unlikely that the hackers are looking to do identity fraud for financial gain — and quite likely this is for espionage purposes.

But, let’s go back to the Social Security numbers being unencrypted for a second. Remember, this hack is already being used by intelligence system defenders to argue for why we need stronger “cybersecurity” laws that will give the NSA and FBI much greater access to Americans’ data.

And, yes, this would be the very same FBI that has actively argued against encryption. And the NSA has always hated encryption and insists it needs backdoors into any encryption.

Both of these organizations strongly support “cybersecurity” legislation, claiming that it’s necessary so that the US government can “help” companies dealing with “critical infrastructure.” And yet, here we are, with the government’s own personnel files being held in a system without encryption that was hacked and copied by (likely) foreign hackers. And we’re supposed to trust two government agencies who have been going around cursing encryption, that we should give them more access to “protect us” when another government agency’s attack likely could have been prevented if they’d just used encryption?

As plenty of cybersecurity experts will tell you, the problem in the security realm is not “information sharing.” It’s people doing stupid things in how they setup their systems. Not encrypting the employee files for every government employee seems to fit into that category. Perhaps, rather than focusing on bogus “cybersecurity” legislation to give more power to the idiots shouting against encryption, we should have the government focus on getting its own house in order, including encrypting employee data.

Filed Under: , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Hack Of Federal Gov't Employee Info Is Much, Much Worse Than Originally Stated: Unencrypted Social Security Numbers Leaked”

Subscribe: RSS Leave a comment
Jack says:

Does ProtectMyID’s insurance kick in if you get arrested for espionage because some Chinese spook was a little sloppy when using your identity to compromise national security?

I feel bad for anyone who looks like they might have Asian ancestry or a name that sounds vaguely Chinese – the next few years are really going to suck for them. But hey, at least the next time Target gets hacked and their data shows up for sale on some shady Tor site, they’ll find out about it, while probably sitting in a jail cell.

Anonymous Coward says:

Re: What’s So Secret About Social Security Numbers, Anyway?

Maybe not stupid but whoever came up with the concept of designating the office that issued the number provided fodder to all the conspiracy theorists.

(For those that don’t know: until recently the first 3 numbers of the SSN designated the office that issued the number. Because most people got their number from the office in the city or county they were born in everybody thought the number was coded for their birth area.)

Mason Wheeler (profile) says:

Re: Re: What’s So Secret About Social Security Numbers, Anyway?

That’s interesting. Do you have a source on that? I’ve heard in the past that the first 5 digits are the ZIP code where your card was originally issued, but I know that’s not right because I looked up the first 5 digits of mine and they aren’t a valid ZIP code.

Anonymous Coward says:

Re: What’s So Secret About Social Security Numbers, Anyway?

The problem is not that they are particularly secret. The problem is that they are used as if they were both secret and an authentication token. You could eliminate some, maybe many, of the financially motivated hacks if you passed a law that did two things:

(1) Amend liability laws to provide that any organization which uses SSN as sufficient proof of identity is considered negligent for the purpose of verifying identity. If an organization issues credit (whether credit card, bank transfer, bank loan, insurance payment, etc.) solely because the recipient knew a name+SSN pair, then they cannot avail themselves of any legal processes to try to collect from the actual owner of that SSN. This would effectively outlaw relying on the SSN for financial transactions, since no organization that continued to rely on it could collect payments due to it. Any organization that did not update their identity verification mechanism could be legally defrauded by anyone who knew a name+SSN mapping, with no recourse by the organization.
(2) Direct the Social Security Administration to publish a full list of all the name to SSN mappings, for every person with a number, living or dead. Going forward, new numbers would be published when issued (or on some convenient schedule, such as a monthly dump of all numbers issued since the last dump). The big dump would come a specified number of months (say, 6-12) after the liability change kicks in. After the data dump begins, defrauding defective organizations would be easy. Widespread lawful fraud would compel them to switch to a better mechanism.

Anonymous Anonymous Coward says:

In kind services

When the NSA is no longer allowed to view American information directly, or GCHQ to view British information directly, it will be necessary to allow GCHQ easy access so they can trade information with each other. Encryption just makes life more difficult. Isn’t this what trade agreements are all about anyway?

Besides, whomever hacked this database now has a fairly complete list of US Government sponsored terrorists who spend their time denying the fact that they are the terrorists.

vegetaman (profile) says:

On a side note about SSNs...

Maybe we can finally stop using SSNs as a unique identifier for people, or pretend it confirms someones’ identity, since every company seems to request/require/have access to people’s SSNs (and then treat that access with the type of non-chalant, non-caring attitude we’ve come to expect in the cyber security age).

John Fenderson (profile) says:

Re: On a side note about SSNs...

Yes. One thing about social security numbers that most people don’t seem to know is that they’re not anywhere close to being a secret. It’s very easy to get almost anyone’s SSN.

By the way, with a few exceptions centered around businesses that are required to report to the government, no business can legally demand your SSN. Most businesses that ask for it will assign a different ID number to you if you refuse to provide it. Some even tell you that on their forms.

OnceWorkedForOPM says:

Follow the Money

Just a comment on this, since it’s making lots of news. The letter is from the Employee’s Union. Not a tech export or anyone involved in the investigation. They are making noise because they want more moneycompensation for the employees. They don’t have any more inside information than anyone else.

Read the letter – he is claiming that they “suspect” this based on “sketchy information”. He then uses his suspicioin to begin to make the case that the employees (the union?) need more infomoneypower.

This is Washington, folks. Follow the money. This wasn’t someone who knows more than the people working the hack. This was a political move. Doesn’t mean it’s not much worse than OPM knows or has admitted; doesn’t mean it is. Just be careful and think it through.

Anonymous Coward says:

Time to check the logs very very carefully, and very very thoroughly monitor all databases where an SSN is linked to a photograph. Extra care in log examination and monitoring if the system allow query by SSN.databases when an SSN is linked to a photograph. Any government spy agency would be very careful not to tip its hand until it had gathered all the information that it could before acting on identified people on the US payroll within its borders.

Anonymous Coward says:

It is an essential feature.

Of course the data is unencrypted. It is an essential function to access the data in the database:
1. Someone in the AFGE wants to access data on a federal employee.
2. Big Ass Golden Key for Everyone(BAGKE), is used by a hacker to copy the data in the database.
3. As the data is traveling along the backbone, the data is then copied once again by the NSA and relayed to whoever was asking for that data.

As you can see, encryption would clearly be in the way and make it much harder to find the right data on the backbone. Trust me… I am an expert.

Anonymous Coward says:

Oh, it's MUCH worse than merely SS numbers

It appears that the hackers got their hands on the employees’ SF-86 forms. That’s the piece of paperwork involved in background checks, and it contains VAST amounts of information not only about the employee, but family, friend, neighbors, colleagues, any foreign nationals they come into contact with, etc.

There’s stuff in there about employment. About sex practices and partners. About any brushes with law enforcement. About EVERYTHING.

If you were looking for people to blackmail and for information to do it with, this is the paperwork you’d want.

And that “foreign national” part has implications too, as there are a number of governments on this planet that might choose to go after their own citizens based on association with people employed by the US government.

The failure here is stunning. Those forms shouldn’t be merely encrypted, they should be on airgapped computers so that acquiring them requires physical access plus hacking those systems plus breaking the encryption. Heck, they should probably be encrypted with an N of M cipher (that is, one that uses M keys and requires that N, N

Roger Strong (profile) says:

a few weeks after the initial report, we would find out that the leak was even worse than originally reported.

A friend once took a temporary job in the Alaska office of a large national charity, to cover an accountant who was on vacation. She discovered that the accountant had been embezzling. It was a MAJOR disaster for the charity, as the news would affect further donations and funding.

“Luckily” the Exxon Valdez had recently hit a rock, and they got to talk to the PR firm brought in to clean up the mess.

The advice: Release ALL the information, every last detail, all at once. It would get the same amount of coverage on day one regardless, and on day two it would be old news. With no further information to be leaked, nothing new to report, there would be no new headlines.

This is why WikiLeaks and the folks holding Snowden’s documents prefer a slow trickle of releases. One big release would make headlines on day one, and the vast majority of the information would be unreported and overlooked. A slow, steady release of documents means that each is a fresh story, to get new coverage in the press.

It’s a lesson that those with a big “data leaks” should learn.

Anonymous Coward says:

I am so glad to hear that all of these social security numbers are unencrypted, because it’s important we work with companies and agencies to “prevent encryption above all else”. Just imagine the egg of the FBI’s face if after all their perfectly justified claims about how encryption only helps the terrorists and child molesters, if it turned out that this data held by the US government was encrypted.

Crisis averted. Thanks Michael Steinbach and William Crowley. Enjoy your brave new world.

Anonymous Coward says:

Re: Re:

There is just one problem:
The way this is gonna be spun out is not that the data wasn’t encrypted, but rather that this happened because hackers are bad and foreign hackers are the worst. They will then insist that in order to catch such people, they need more access and less encryption, as if anyone will automatically obey these rules.
There will never be any apology or admission of any bad judgement or sloppiness from their part, only ever accusations of others and the constant pushing for more power.

Web_Rat (profile) says:

Wait a minute, really folks what is all the fuss about? Sure our own duly elected government has embarked on and expanded non-warranted collection of data on its very own citizens. And yes, the government proclaims any information you may have involving a 3rd party has no expectation of privacy. Furthermore federal officials are bemoaning the fact that encryption without a government sanctioned “backdoor” will cripple the war on terrorism.

Everyone seems to be forgetting that Obama promised to have the most transparent administration in the history of the United States…….

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...