Second OPM Hack Revealed: Even Worse Than The First

from the the-federal-government,-ladies-and-gentlemen dept

Oh great. So after we learned late yesterday that the hack of all sorts of data from the federal government’s Office of Personnel Management (OPM) was likely much worse than originally believed — including leaking all Social Security numbers unencrypted — and that the so-called cybersecurity “experts” within the government weren’t even the ones who discovered the hack, things are looking even worse. That’s because, late today, it was revealed that there was likely a separate hack, also by Chinese state actors, accessing even more sensitive information:

The forms authorities believed may have been stolen en masse, known as Standard Form 86, require applicants to fill out deeply personal information about mental illnesses, drug and alcohol use, past arrests and bankruptcies. They also require the listing of contacts and relatives, potentially exposing any foreign relatives of U.S. intelligence employees to coercion. Both the applicant’s Social Security number and that of his or her cohabitant is required.

In a statement, the White House said that on June 8, investigators concluded there was “a high degree of confidence that … systems containing information related to the background investigations of current, former and prospective federal government employees, and those for whom a federal background investigation was conducted, may have been exfiltrated.”

“This tells the Chinese the identities of almost everybody who has got a United States security clearance,” said Joel Brenner, a former top U.S. counterintelligence official. “That makes it very hard for any of those people to function as an intelligence officer. The database also tells the Chinese an enormous amount of information about almost everyone with a security clearance. That’s a gold mine. It helps you approach and recruit spies.”

And yet… this is the same federal government telling us that it wants more access to everyone else’s data to “protect” us from “cybersecurity threats” — and that encryption is bad? Yikes.

Filed Under: , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Second OPM Hack Revealed: Even Worse Than The First”

Subscribe: RSS Leave a comment
58 Comments
That One Guy (profile) says:

Worrisome, but not surprising

Make the target valuable enough, and it’s not ‘if’, but ‘when’ it will be hacked.

This should be held up as a perfect example of why it’s a terrible idea to engage in mass spying and data collection, because even if the ones doing it never use the information themselves, such a database is an extremely tempting target for anyone, government or otherwise, who believes that the data is valuable.

If the database exists, it will be hacked, it’s only a matter of time, meaning it’s better to never create it in the first place.

JoeCool (profile) says:

Re: Re: Worrisome, but not surprising

The REAL question is – why the hell is this even on the net in the first place?!?!?! You don’t take databases with the most sensitive info and place them on the open net. Basic Security 101. At least make the fuckers have to send a spy in person to infiltrate the facilities – hasn’t decades of James Bond movies taught them anything?

Starke (profile) says:

Re: Re: Re: Worrisome, but not surprising

They probably put the database online because… well, it’s the Federal government.

The database was originally created to be used, so while sticking it behind an air gap would have been the smart thing to do, but not the useful option.

It was also probably created because the government has a pathological need to retain any information it ever obtains.

As for exactly how it ended up online? The people actually getting paid for implementing it either picked a simple standard online database setup to allow access from anyone who should be throwing data at it. Or the people overseeing it’s creation were easily wowed by the prospect of the database being available to their people nation wide, without any thought to security because they weren’t techs, just administrators with no real understanding of network security.

You know, the same kinds of people that just say, “well, our people are smart so encryption golden keys are the way to go. Because, we need to see what other people are doing, and our people can figure out a way to keep everyone else out.”

Tobias Harms says:

Re: Worrisome, but not surprising

Time to take a page from terrorists book and create some sort of cells for databases? The whole database wouldn’t be compromised just because a part of it was.
Now how the heck you would go around building a database like that I’ll leave as an exercise for the reader 🙂

OldMugwump (profile) says:

Re: Worrisome, but not surprising

Agreed. The Feds can’t even keep their own data secure, and we civilians are supposed to trust them with ours?

This ought to (but won’t) completely kill the idea of key escrow and the Feds logging and archiving private data.

I’m probably more trusting than I should be regarding motives, but I’ve never been trusting re competence. I’ve never applied for a security clearance, and can’t imagine doing so.

Anyone who did trust the Fed’s competence by (honestly) filling out a Standard Form 86 has now been proven a fool – anything embarrassing, or even just useful for leverage (which relatives to threaten…), is now in play.

And these incompetent fools are telling us to trust them with our data?

FM Hilton (profile) says:

The question arises

If the Chinese are stealing our personal information, why are we still on diplomatic terms with them?

They’ve stolen the top level personal information of our government and now the Chinese know all about their life problems.

I smell blackmail in the air.

I just wonder how stupid the government really is. They just admitted their entire personnel files are now in the possession of a semi-hostile country.

Data that was not encrypted, due to utter stupidity and belief that they would be able to prevent/stop such events with the usual derring do. They failed this one miserably.

Also the same government that has been trying to blackmail/cajole Microsoft and other big computer companies to allow them a backdoor into the systems, and forbidding encryption.

Looks like the government now needs “Life Lock”.

Anonymous Coward says:

Re: The question arises

“[…] why are we still on diplomatic terms with them?”

This is how the intelligence game is played. Back in the day, it would have involved someone going in and physically photographing or copying files. Nobody’s going to war or breaking off relations due to something like this, because I can tell you with perfect certainty that everyone involved in international espionage/politics is pulling the same shit. The only real shame on that field is getting caught red-handed with enough evidence for a courtroom. And even then the worst that really happens (publicly, anyway) is the international equivalent of name-calling or a few agents getting tossed in the clink.

Capt ICE Enforcer says:

Hate it

Okay, now I am beyond mad, 20 years in doing things for my nation and they did stupid mistakes like this. And the kicker, they plan to offer free ID protection for a year to cover this. The SF 86 is a complete record of everything with the exception of what the individual ate for dinner last night. I can honestly say I am scared for my family. Now I need to recreate everything using BS answers to security questions.. I think a suitable answer for all security questions would be IH8UGOVOPMAHOLES

Nickweller (profile) says:

Re: Hate it

This form will be used by the United States (U.S) Government in conducting background investigations, reinvestigations, and continious elavuations of persons under consideration for, or retention of, national security positions as defined in 5 CRF 732, and for individuals requiring eligibility for access to classified information under Executive Order 12968.’

translation: We may leak such compromising information against you if you discover illegal activity by a U.S Government agency and attempt to disclose such to the media.

https://www.opm.gov/forms/pdf_fill/sf86.pdf

OldMugwump (profile) says:

Re: Hate it

Captain, thank you for your 20 years of service. I mean that sincerely.

I’m sure you meant well, and perhaps you even did good things to help your neighbors and the world.

But, with all due respect, trusting the Feds to keep your SF86 information secure was…foolish. And now you’re going to pay the price.

Anonymous Coward says:

Re: Re: Hate it

Unfortunately, you don’t get a lot of choice in the matter for many lines of work. My info is somewhere in that pile as well, from when I had to get a clearance to do my job….which, given the economic downturn at the time was quite nice to have given the many rounds of layoffs my company had gone through.

Capt ICE Enforcer says:

Government Agency

If only the US had an agency that’s sole purpose was to find ways to defend our nation from cyber attacks by creating super sophisticated encryption which is easy to use with multiple levels of protection. You know, an organization which would not only prevent Whitehouse.gov from being hacked, but also prevent all networks from being hit. Hmm what would we call it, National Protection Agency NPA. Nah, what about National Security Agency NSA. It has a nice ring to it.

Doug says:

Encryption anyone

Seems like the war on encryption ought to be over now. Encryption would have helped in this case. The gov’t can’t very well now argue that only criminals need encryption. All you have to do is say, “What, you don’t like encryption? What about OPM? … Thought so.”

Whoever didn’t encrypt this data was negligent at a minimum. Gov’t being what it is, no one will be fired…

Capt ICE Enforcer says:

Cost vs benefit program.

Let’s weigh the cost vs benefits of having the NSA around.
NSA- Helped destroy the world’s view on the US being a great nation. Ticked off everyone on the planet with the exception of the guy living under the rock in the GEICO commercial. And cost a lot of money each year to operate even though people are going hungry in the streets.
$60 Security program- Found major security violation and malware on the span of a 30 minute sales demo. Did not possible off the entire planet. And can back up everything it does in a clear manner. Looks like the NSA needs to shut down.

wazmo (profile) says:

And one of the roles that the NSA is supposed to perform for the US Government is ‘Information Assurance’:

https://www.nsa.gov/ia/ia_at_nsa/index.shtml

“NSA’s Information Assurance Directorate (IAD) protects and defends National Security Information and Information Systems, in accordance with National Security Directive 42. National Security Systems are defined as systems that handle classified information or information otherwise critical to military or intelligence activities.

IAD is responsible for NSA’s defensive mission and is widely acknowledged for leading innovative security solutions. Partnering extensively with government, industry, and academia, allows IAD to ensure appropriate security solutions are in place to protect and defend information systems, as well as our Nation’s critical infrastructure. IAD’s work is guided by its vision to create “Confidence in Cyberspace.”

Seems to me that it’s high time we drag the current and former heads of the NSA before Congress and ask them how this happened on their watch. Of course, like what happened with the financial crises, bringing anything into the public sphere would be tantamount to being ‘too big to fail’

Uh, guess what just happened……

Anonymous Coward says:

One more reason to screen my phone calls:

“This is the IRS, if we do not receive payment within the next 30 minutes, we will send someone to your house to arrest you…”

“Our son was killed in Afghanistan/Iraq and we need to pay for funeral costs. The government isn’t helping us. Would you please donate some money?”

“You have won $1,000,000!!! Just wire us $1,500 from your bank account to cover the processing fees and the money will be delivered!”

“Hello, this is Chinese Intelligence. Have you thought about the lucrative business of trading government secrets?”

Stephen says:

OPM Managers Need Lessons in Online Security 101

This is in an unmitigated disaster for the US.

Putting all that sensitive data on a computer connected to the Internet was a bad idea from the get-go and those in charge should have realised that from the beginning. If nothing else the very act of putting it online meant that they were painting a large red target on that data, daring hackers to have a go at breaching security and exfiltrating it. Which, thanks in part to pitiful security, they not only succeeded in doing, but were able to get away withOUT detection until pure chance and a product demo exposed them.

At the very least somebody needs to get fired fcr this, although chances are it will be some poor schmuck at the coaslface end rather than those higher-ups whose decisions (or lack thereof) led to this fiasco.

MadAsASnake (profile) says:

You would think there was a lesson here for the US gov:
1. You can hardly blame the Chinese [if it was them] when NSA is doing same
2. There is no excuse for not securing deeply personal info in your possession. Businesses are required by law to do that. Encrypt the data, air gap the really sensitive stuff
3. Breaking that encryption for your own purposes pretty much invalidates 2. Encryption is useless if it has a back door.
Unfortunately the response to this will be nothing but red faced silence. What should really happen now is that the US get rid of all the intelligence staff compromised (this is a way bigger risk than Snowden) and start again. This lot are so corrupt, that is probably a good idea anyway.

Gary Mont (profile) says:

Learning from the Pros

Gotta love the Chinese resilience.

Having been hacked and blackmailed by the US spy agencies for years, they have finally turned the tables and joined The Five Eyes Blackmail Game, by learning how to blackmail the Five Eyes’ member nation’s spies themselves.

I guess the leaders of the Five Eyes thought that they could secretly survey and blackmail the world and the world would just obey them and bend over, and not try and protect itself from them. They didn’t even bother to secure their own data because they think the rest of the world is composed of lesser beings.

What a bunch of self-important, arrogant, morons.

The leaders of the Five Eyes have opened a can of worms they are definitely not going to like, as they have forced the world to fight back against the monster – to fight fire with fire and learn how to blackmail the blackmailers.

Coming soon: Public Encryption Security Training Control

===================(PEST Control)=================

Anonymous Coward says:

That sounds like good stuff to have available online

What I don’t understand is why stuff like this needs to be accessible from internet connected systems? You hear FUD about attacks on the power grid and how we need cyberwarfare capabilities. But the simple answer is to not have this stuff connected to the internet.

Mike Acker (profile) says:

Much worse than Edward Snowden affair

the OPM disaster is MUCH worse than the Edward Snowden affair. Snowden only exposed illegal government activity — much like Watergate — which we now regard as an heroic action.

OPM is a REAL disaster

as far as China and Russia having Ed Snowden data: if they did they sure wouldn’t let you know about it. The latest on Ed Snowden is just static to help cover up the OPM mess

hot mess, make that

FM Hilton (profile) says:

Another thought

Since the second of the two incursions has been revealed, one must wonder how far back the records that have been stolen go back? Years or decades?

Because when you read it properly, Edward Snowden’s personnel information is part of it, as are probably most of the NSA’s.

I wonder if he knew about the operational insecurity of the OPM?

You have to admit that it would have saved an awful lot of hot mess if he had warned the government about it before it happened.

In that case, he would have been awarded a medal for it and given a better job.

But history had another idea. That’s why he’s in Russia and facing charges that he stole data from the government and our government’s had their information stolen by a foreign entity called China.

It boggles the mind to know that the government completely overlooked their own data and failed to do the most basic security steps to protect it.

Snowden is the least of their problems right now.

Way to go, USA!

sigalrm (profile) says:

Re: Another thought

“I wonder if he knew about the operational insecurity of the OPM? “

Maybe. Doesn’t really matter.

“You have to admit that it would have saved an awful lot of hot mess if he had warned the government about it before it happened.”

Unlikely. History shows – repeatedly – that such warnings – at best – would have been ignored and at worst would have been received with great hostility.

“In that case, he would have been awarded a medal for it and given a better job.”

No. Having embarrassed the Authorizing Official (required under FISMA, look it up) for whichever system it was, he’d have been lucky to have gotten the equivalent of an “atta boy, good job, go back to work” and subsequently having the report shelved, not be be looked at again until some reporter filed a FOIA request for it.

sigalrm (profile) says:

This is exactly what happens...

When you give up privacy for security.

I mean, don’t get me wrong – there’s no question that this is really bad. But if we, as a country, continue to centralize information on everybody in the name of security, then before too many years have elapsed, we’re going look back on this particular breach as being small scale and, dare I say it, quaint.

nasch (profile) says:

Re: Re:

I am sorry, but I can’t believe they don’t notice all that data leaving sensitive networks. It really sounds more like the government using excuses like this to try and get the public behind them expanding the offensive and defensive hacking operations.

I don’t doubt they would be willing to do such a thing, but I think you’re giving their competence too much credit.

sharon says:

Not at all surprised

I have had the unfortunate experience in dealing with the OPM throughout my lifetime. I a widow of a man who never got to see his unborn child. Working for our great Government.
The OPM has done nothing but harass, illegally with hold full annuity payments.
I am not at all surprised there was this horrible breach. They are too busy picking on widows.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...