US Government's HR Department Has Been Hacked, Government Employee Data Leaked
from the if-you-can't-clean-up-your-own-home... dept
The US government keeps insisting that companies should be giving it information in order to help the government block “cybersecurity” attacks on those companies. In fact, as just reported, the NSA is already scooping up tons of information in trying to spot malicious attacks ahead of time, despite insisting in the past that it wasn’t doing this. However, before everyone starts handing over information to the federal government, shouldn’t we have some sort of evidence that the US government itself actually has some decent cybersecurity skills?
Because it appears that, yet again, there has been a massive data breach, and this time, it’s the US government’s Office of Personnel Management (OPM), which is basically the HR department for the entire federal government. In other words, hackers may have gotten access to the personal information on tons of current and former government employees:
The agency said that in April of 2015 it had identified ?a cybersecurity incident potentially affecting personnel data for current and former federal employees, including personally identifiable information,? although the breach is only being disclosed now. OPM alsos said that it will notify around 4 million people whose personal information ?may have been compromised??although the number is likely to grow since the investigation is ongoing.
Taking the same idiotic, symbolic but pointless, response as the private sector every time there’s a breach, the OPM is promising a some free credit reporting:
To protect employees from identity theft, OPM is giving them free ?credit report access, credit monitoring and identify theft insurance and recovery services,? according to the press release.
?Protecting our Federal employee data from malicious cyber incidents is of the highest priority at OPM,? OPM Director Katherine Archuleta said in a statement.
Actually, that last statement does not appear to be true. As the report at Vice’s Motherboard (linked above) notes, this is the second time in less than a year that this happened, and last time it was determined to be Chinese hackers who broke in — and that’s who is suspected again this time. In which case, “free credit reporting” services are likely to be totally useless. It’s quite likely that whoever hacked in wasn’t doing it to do identity fraud and swipe credit card numbers, but to get useful information for additional, more sophisticated hacks to get access to various government employees’ computers and networks.
So, yeah, if the US government can’t even protect its own systems against these hacks, can someone explain why, again, we’re expected to have companies hand over their own information under the false belief that the government will somehow protect them against attacks as well?
Filed Under: china, cybersecurity, hacked, office of personnel management, opm, us government
Comments on “US Government's HR Department Has Been Hacked, Government Employee Data Leaked”
Those who can, do.
Those who can’t, teach.
Those who can’t teach, teach PhysEd.
Those who can’t teach PhysEd, work in IT for the government.
Re: Re:
Its even simpler:
Those who can do and try to cooperate with each other.
Those who cant try to take control and prevent the cooperation.
Re: Re:
Denigrating teachers isn’t exactly the way to a booming economy…
Re: Re:
If OPM is like most other federal agencies, nearly all the IT work is contracted out. The contracting companies’ goal is to deliver as little as possible while charging as much as they can get away with. The COTRs – the feds responsible for monitoring the contractors’ performance – often don’t have the skills or the “junk yard dog” attitude needed to do a good job.
If they used that "Dark" encryption ...
You know, they ones they are afraid of? Maybe they wouldn’t have gotten hacked…
Re: If they used that "Dark" encryption ...
local DC news radio said these current and former employees will get free credit monitoring.
My question is when the NSA is hacked, are they going to give the entire world free credit monitoring?
Re: Re: If they used that "Dark" encryption ...
First, you cannot hack No Such Agency because it does not exist. But if it did get hacked anyway, they could of course provide free credit monitoring to the world, because they are already monitoring everyone’s credit for their own nefarious ends. CC’ing you on their monitoring would be comparatively cheap, and probably a lot cheaper than buying everyone a credit monitoring package from the commercial bureaus.
Re: Re: If they used that "Dark" encryption ...
Maybe that’s the precursor…first they let themselves get hacked, then they offer the entire planet free credit monitoring. The data from the credit monitoring agencies goes straight to the NSA.
Boom! We’re totally safe & secure now!
Unless they get hacked again, then they have to repeat the offer…oh, wait.
Ostrich's
This is a good example of our government spouting the “We don’t need no stinking encryption!” line is totally out of their cranial-rectal thinking.
I still can’t wrap my head around the fact that the government seems to be both “pro-cybersecurity” and “anti-encryption” at the same time.
Do those morons not realize that the two policies are incompatible? To get strong cybersecurity you need strong encryption and spy and hacking-proof systems…so why the hell are they still pushing for easy-to-spy and easy-to-hack systems in the media then?!
Re: Re:
Two possible answers. They are incompetent or they allow it to advance their terrorist hacker boogeyman propaganda. Take your pick.
Re: Re: Re:
Two possible answers. They are incompetent or they allow it to advance their terrorist hacker boogeyman propaganda. Take your pick.
I choose both. One is what they are, and the other is the method they use to separate you from some of your paycheck.
Re: Re:
You don’t understand; it’s because the govt is the “good guys.”
It seems everything is hooked to the internet these days
You gotta love the mindset that if there is a computer lying around, it has to be hooked to the internet. There are all kinds of security mechanisms to keep people from getting to systems they shouldn’t get to. Some systems should not even be hooked to the internet. Just wait until the internet of things really takes hold and hackers start controlling houses, cars and anything else that isn’t nailed down. We need to get a handle on security now as it is nearly impossible to secure things after the fact.
I’m thinking someone left the “back door” unlocked. So tell me again how having “back doors” is a good thing??
Well...
When you give up your freedom for security you get neither.
Now the hackers have your info and the government will try to use this as an excuse to take away more of your freedom.
No encryption, bitches.
Given a government list of government employees, subtract all those who job/department can be found in public directories, and those left are the ones that a foreign government will have the most interest in, as it likely includes many covert operators etc..
Re: Re:
This is the government we are talking here. Odds are the payroll data includes things like, CIA operative in Iraq as the job title. So if you remove everything identifiable, you probably are only left with people that are on the payroll due to system bugs, or because they had already hacked the payroll system to add themselves to it.
Re: Re:
Won’t work. The Official Cover people would show up as their covers (Attache, Asst to the Asst of…), NOC people would show up as day workers – do you really believe the CIA headquarters has 800 Janitors?
Credit Where Credit Is Due
You can’t accuse the government of hypocrisy. They didn’t encrypt, and they haven’t “gone dark.”
"Identity theft protection"
They’re offering affected employees identity theft protection- for 18 months. Why 18 months, do they think the hackers will give the information back by then? I wonder why they weren’t as concerned about protecting employees information when they were designing their IT systems. The only logic I can see behind the 18 month span is that it’s likely to last until the next major breach (and another 18 month protection plan).
Re: "Identity theft protection"
Does that mean 18 months identity theft protection on top of the other two offers of 18 month identity theft protection?
I ask because I have letters dated 3 September and 22 March which detail two previous hacks (say the word and I will scan and post them).
So is the identity theft protection offered concurrently or consecutively, do you think?
Re: Re: "Identity theft protection"
Bah, don’t you realize that you will be required to identify which breech your identity theft came from before any identity theft protection plan will be enforced? You have a 1 in 3 chance of being right (start flipping coins), now, the next breech will make it 1 in 4.
Oh, and make sure you use the correct government issued breech identifier [Classified info, as you well know] when referring to breeches so that there are no mistakes because dates won’t work as the breeches were all ‘over a period of time’ which might include days, weeks, or months depending on your perspective.
Looks like the identity theft insurance lobbyists’ plan is coming off without a hitch…kickbacks in the form of 4 million new accounts.
Uncle Obama
I wonder if Uncle Obama is going to pick up a year of credit monitoring for everyone who had their data stolen.
Re: Uncle Obama
To buy more Americans that don’t care for their freedom off you sure better believe he will do it if I could.
But that depends on if the puppet master that pulls this persons strings will let him do it.
Re: Re: Uncle Obama
Can’t really blame Obama, as this kind of nonsense has been going on for as long as governments exist. As a recent, but pre-Obama occurrence, I observed Federal IT staff knowingly violate HIPPA security requirements because it saved time and money.
Hypocrisy, thy name is government.
Re: Maybe read the entire article first
Maybe it’s just a way to transfer money to the credit reporting agencies. Monitoring is not cheap for four million customers. Since the big three have taken it upon themselves to collect all of this data on consumers, perhaps they should have an obligation to make credit freezes and monitoring free.
Hope they used a backdoor!
And I that gets waved in their fucking faces.
Re: Hope they used a backdoor!
They didn’t use a backdoor you ninny!
They had a golden key.
Yay now idiots will be able to find the addresses of the incompetent
Which will lead to highly comical events, such as TP’ing their houses and cars, with excrement loaded TP.
Egging, door dings, keying, and whatnot.
I’ve got my pop-corn and remote to rewind and rewatch as hilarity ensues
Wow, Scary
Wow. Scary. Good thing I don’t work for the US govt.
That means they’re not storing any private information about me, so I’m not at risk.
(yes, sarcasm)
OPM does security clearance investigations (among other things) making them responsible for some VERY personal information.
If you don’t encrypt, You must acquit.
Multiple the numbers by 4-5. Security clearance application data requires some personal information of family and friends of those applying for clearances. If that database was hacked then this isn’t just about federal employees.
Will the government be offering credit “protection” for those people too?
Re: Re:
Check out:
https://threatpost.com/opm-hack-may-have-exposed-security-clearance-data/113184
Potentially very bad.
I haven't been notified yet
My information is one of those that would have been stolen from the OMB. I have not received any notification that I will be receiving free monitoring.
According to some reports that I have seen, the hackers could wait years to use this information. I guess the Gov’t owes me perpetual credit monitoring…..
4 months undetected
I just heard that the hack went four months without being detected.
The Australians (I think the Defence Department) used the top 4 strategies to stop hackers. They did get in, but got no information. The top 3 that I remember were:
1. Whitelisting
2. Frequent OS patching
3. Frequent application patching
It’s genius.
The data sharing with companies will reduce attacks on the companies. The government collects loads of data from companies, puts it in a huge, poorly protected database and makes a big target for hackers. Why would the hackers bother attacking the companies with that there instead? So at a stroke, the risk of the companies getting hacked goes to zero.