US Government's HR Department Has Been Hacked, Government Employee Data Leaked

from the if-you-can't-clean-up-your-own-home... dept

The US government keeps insisting that companies should be giving it information in order to help the government block "cybersecurity" attacks on those companies. In fact, as just reported, the NSA is already scooping up tons of information in trying to spot malicious attacks ahead of time, despite insisting in the past that it wasn't doing this. However, before everyone starts handing over information to the federal government, shouldn't we have some sort of evidence that the US government itself actually has some decent cybersecurity skills?

Because it appears that, yet again, there has been a massive data breach, and this time, it's the US government's Office of Personnel Management (OPM), which is basically the HR department for the entire federal government. In other words, hackers may have gotten access to the personal information on tons of current and former government employees:
The agency said that in April of 2015 it had identified “a cybersecurity incident potentially affecting personnel data for current and former federal employees, including personally identifiable information,” although the breach is only being disclosed now. OPM alsos said that it will notify around 4 million people whose personal information “may have been compromised”—although the number is likely to grow since the investigation is ongoing.
Taking the same idiotic, symbolic but pointless, response as the private sector every time there's a breach, the OPM is promising a some free credit reporting:
To protect employees from identity theft, OPM is giving them free “credit report access, credit monitoring and identify theft insurance and recovery services,” according to the press release.

“Protecting our Federal employee data from malicious cyber incidents is of the highest priority at OPM,” OPM Director Katherine Archuleta said in a statement.
Actually, that last statement does not appear to be true. As the report at Vice's Motherboard (linked above) notes, this is the second time in less than a year that this happened, and last time it was determined to be Chinese hackers who broke in -- and that's who is suspected again this time. In which case, "free credit reporting" services are likely to be totally useless. It's quite likely that whoever hacked in wasn't doing it to do identity fraud and swipe credit card numbers, but to get useful information for additional, more sophisticated hacks to get access to various government employees' computers and networks.

So, yeah, if the US government can't even protect its own systems against these hacks, can someone explain why, again, we're expected to have companies hand over their own information under the false belief that the government will somehow protect them against attacks as well?

Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 5 Jun 2015 @ 9:32am

    Those who can, do.
    Those who can't, teach.
    Those who can't teach, teach PhysEd.
    Those who can't teach PhysEd, work in IT for the government.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 5 Jun 2015 @ 9:50am

      Re:

      Its even simpler:
      Those who can do and try to cooperate with each other.
      Those who cant try to take control and prevent the cooperation.

      reply to this | link to this | view in chronology ]

    • icon
      pixelpusher220 (profile), 5 Jun 2015 @ 10:15am

      Re:

      Denigrating teachers isn't exactly the way to a booming economy...

      reply to this | link to this | view in chronology ]

    • identicon
      Former Fed, 5 Jun 2015 @ 10:18am

      Re:

      If OPM is like most other federal agencies, nearly all the IT work is contracted out. The contracting companies' goal is to deliver as little as possible while charging as much as they can get away with. The COTRs - the feds responsible for monitoring the contractors' performance - often don't have the skills or the "junk yard dog" attitude needed to do a good job.

      reply to this | link to this | view in chronology ]

  • identicon
    David, 5 Jun 2015 @ 9:36am

    If they used that "Dark" encryption ...

    You know, they ones they are afraid of? Maybe they wouldn't have gotten hacked...

    reply to this | link to this | view in chronology ]

    • icon
      pixelpusher220 (profile), 5 Jun 2015 @ 10:17am

      Re: If they used that "Dark" encryption ...

      local DC news radio said these current and former employees will get free credit monitoring.

      My question is *when* the NSA is hacked, are they going to give the entire world free credit monitoring?

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 5 Jun 2015 @ 10:23am

        Re: Re: If they used that "Dark" encryption ...

        My question is *when* the NSA is hacked, are they going to give the entire world free credit monitoring?
        First, you cannot hack No Such Agency because it does not exist. But if it did get hacked anyway, they could of course provide free credit monitoring to the world, because they are already monitoring everyone's credit for their own nefarious ends. CC'ing you on their monitoring would be comparatively cheap, and probably a lot cheaper than buying everyone a credit monitoring package from the commercial bureaus.

        reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 5 Jun 2015 @ 1:53pm

        Re: Re: If they used that "Dark" encryption ...

        Maybe that's the precursor...first they let themselves get hacked, then they offer the entire planet free credit monitoring. The data from the credit monitoring agencies goes straight to the NSA.

        Boom! We're totally safe & secure now!

        Unless they get hacked again, then they have to repeat the offer...oh, wait.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Anonymous Coward, 5 Jun 2015 @ 9:40am

    Ostrich's

    This is a good example of our government spouting the "We don't need no stinking encryption!" line is totally out of their cranial-rectal thinking.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 Jun 2015 @ 9:56am

    I still can't wrap my head around the fact that the government seems to be both "pro-cybersecurity" and "anti-encryption" at the same time.

    Do those morons not realize that the two policies are incompatible? To get strong cybersecurity you need strong encryption and spy and hacking-proof systems...so why the hell are they still pushing for easy-to-spy and easy-to-hack systems in the media then?!

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 5 Jun 2015 @ 9:58am

      Re:

      Two possible answers. They are incompetent or they allow it to advance their terrorist hacker boogeyman propaganda. Take your pick.

      reply to this | link to this | view in chronology ]

      • icon
        ltlw0lf (profile), 5 Jun 2015 @ 10:10am

        Re: Re:

        Two possible answers. They are incompetent or they allow it to advance their terrorist hacker boogeyman propaganda. Take your pick.

        I choose both. One is what they are, and the other is the method they use to separate you from some of your paycheck.

        reply to this | link to this | view in chronology ]

    • identicon
      AnonyBabs, 5 Jun 2015 @ 12:30pm

      Re:

      You don't understand; it's because the govt is the "good guys."

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 Jun 2015 @ 9:57am

    It seems everything is hooked to the internet these days

    You gotta love the mindset that if there is a computer lying around, it has to be hooked to the internet. There are all kinds of security mechanisms to keep people from getting to systems they shouldn't get to. Some systems should not even be hooked to the internet. Just wait until the internet of things really takes hold and hackers start controlling houses, cars and anything else that isn't nailed down. We need to get a handle on security now as it is nearly impossible to secure things after the fact.

    reply to this | link to this | view in chronology ]

  • icon
    PlagueSD (profile), 5 Jun 2015 @ 10:05am

    I'm thinking someone left the "back door" unlocked. So tell me again how having "back doors" is a good thing??

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 Jun 2015 @ 10:08am

    Well...

    When you give up your freedom for security you get neither.

    Now the hackers have your info and the government will try to use this as an excuse to take away more of your freedom.

    No encryption, bitches.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 Jun 2015 @ 10:09am

    Given a government list of government employees, subtract all those who job/department can be found in public directories, and those left are the ones that a foreign government will have the most interest in, as it likely includes many covert operators etc..

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 5 Jun 2015 @ 10:26am

      Re:

      This is the government we are talking here. Odds are the payroll data includes things like, CIA operative in Iraq as the job title. So if you remove everything identifiable, you probably are only left with people that are on the payroll due to system bugs, or because they had already hacked the payroll system to add themselves to it.

      reply to this | link to this | view in chronology ]

    • icon
      Bamboo Harvester (profile), 5 Jun 2015 @ 11:59am

      Re:

      Won't work. The Official Cover people would show up as their covers (Attache, Asst to the Asst of...), NOC people would show up as day workers - do you really believe the CIA headquarters has 800 Janitors?

      reply to this | link to this | view in chronology ]

  • icon
    Roger Strong (profile), 5 Jun 2015 @ 10:24am

    Credit Where Credit Is Due

    You can't accuse the government of hypocrisy. They didn't encrypt, and they haven't "gone dark."

    reply to this | link to this | view in chronology ]

  • icon
    Oblate (profile), 5 Jun 2015 @ 10:26am

    "Identity theft protection"

    They're offering affected employees identity theft protection- for 18 months. Why 18 months, do they think the hackers will give the information back by then? I wonder why they weren't as concerned about protecting employees information when they were designing their IT systems. The only logic I can see behind the 18 month span is that it's likely to last until the next major breach (and another 18 month protection plan).

    reply to this | link to this | view in chronology ]

    • icon
      Nate (profile), 5 Jun 2015 @ 11:00am

      Re: "Identity theft protection"

      Does that mean 18 months identity theft protection on top of the other two offers of 18 month identity theft protection?

      I ask because I have letters dated 3 September and 22 March which detail two previous hacks (say the word and I will scan and post them).

      So is the identity theft protection offered concurrently or consecutively, do you think?

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Anonymous Coward, 5 Jun 2015 @ 11:27am

        Re: Re: "Identity theft protection"

        Bah, don't you realize that you will be required to identify which breech your identity theft came from before any identity theft protection plan will be enforced? You have a 1 in 3 chance of being right (start flipping coins), now, the next breech will make it 1 in 4.

        Oh, and make sure you use the correct government issued breech identifier [Classified info, as you well know] when referring to breeches so that there are no mistakes because dates won't work as the breeches were all 'over a period of time' which might include days, weeks, or months depending on your perspective.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 Jun 2015 @ 11:12am

    Looks like the identity theft insurance lobbyists' plan is coming off without a hitch...kickbacks in the form of 4 million new accounts.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 Jun 2015 @ 11:26am

    Uncle Obama

    I wonder if Uncle Obama is going to pick up a year of credit monitoring for everyone who had their data stolen.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 5 Jun 2015 @ 11:28am

      Re: Uncle Obama

      To buy more Americans that don't care for their freedom off you sure better believe he will do it if I could.

      But that depends on if the puppet master that pulls this persons strings will let him do it.

      reply to this | link to this | view in chronology ]

      • icon
        Groaker (profile), 5 Jun 2015 @ 12:36pm

        Re: Re: Uncle Obama

        Can't really blame Obama, as this kind of nonsense has been going on for as long as governments exist. As a recent, but pre-Obama occurrence, I observed Federal IT staff knowingly violate HIPPA security requirements because it saved time and money.

        Hypocrisy, thy name is government.

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 5 Jun 2015 @ 11:34am

      Maybe read the entire article first

      Maybe it's just a way to transfer money to the credit reporting agencies. Monitoring is not cheap for four million customers. Since the big three have taken it upon themselves to collect all of this data on consumers, perhaps they should have an obligation to make credit freezes and monitoring free.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 Jun 2015 @ 11:27am

    Hope they used a backdoor!

    And I that gets waved in their fucking faces.

    reply to this | link to this | view in chronology ]

  • identicon
    DigDug, 5 Jun 2015 @ 12:07pm

    Yay now idiots will be able to find the addresses of the incompetent

    Which will lead to highly comical events, such as TP'ing their houses and cars, with excrement loaded TP.

    Egging, door dings, keying, and whatnot.

    I've got my pop-corn and remote to rewind and rewatch as hilarity ensues

    reply to this | link to this | view in chronology ]

  • icon
    Derek Kerton (profile), 5 Jun 2015 @ 12:15pm

    Wow, Scary

    Wow. Scary. Good thing I don't work for the US govt.

    That means they're not storing any private information about me, so I'm not at risk.

    (yes, sarcasm)

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 Jun 2015 @ 12:38pm

    OPM does security clearance investigations (among other things) making them responsible for some VERY personal information.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 Jun 2015 @ 1:12pm

    If you don't encrypt, You must acquit.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 Jun 2015 @ 2:04pm

    Multiple the numbers by 4-5. Security clearance application data requires some personal information of family and friends of those applying for clearances. If that database was hacked then this isn't just about federal employees.

    Will the government be offering credit "protection" for those people too?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 Jun 2015 @ 4:02pm

    I haven't been notified yet

    My information is one of those that would have been stolen from the OMB. I have not received any notification that I will be receiving free monitoring.

    According to some reports that I have seen, the hackers could wait years to use this information. I guess the Gov't owes me perpetual credit monitoring.....

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 Jun 2015 @ 4:05pm

    4 months undetected

    I just heard that the hack went four months without being detected.

    The Australians (I think the Defence Department) used the top 4 strategies to stop hackers. They did get in, but got no information. The top 3 that I remember were:

    1. Whitelisting
    2. Frequent OS patching
    3. Frequent application patching

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 8 Jun 2015 @ 2:37pm

    It's genius.

    The data sharing with companies will reduce attacks on the companies. The government collects loads of data from companies, puts it in a huge, poorly protected database and makes a big target for hackers. Why would the hackers bother attacking the companies with that there instead? So at a stroke, the risk of the companies getting hacked goes to zero.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: Copying Is Not Theft
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories

Close

Email This

This feature is only available to registered users. Register or sign in to use it.