Hack Of Federal Gov't Employee Info Is Much, Much Worse Than Originally Stated: Unencrypted Social Security Numbers Leaked

from the because-that's-how-this-works dept

Over a decade ago, I pointed out that every single time there were reports of big "data leaks" via hacking, a few weeks after the initial report, we would find out that the leak was even worse than originally reported. That maxim has held true over and over again. And, here we go again. Last week, we noted that the US government's Office of Personnel Management had been hacked, likely by Chinese hackers. And, now, it has come out that the hack was (you guessed it) much worse than originally reported.

The President of the union that represents federal government workers, the American Federation of Government Employees (AFGE) sent a letter to the director of the OPM, claiming that the hackers got away with the Central Personnel Data File, which includes full information on just about everything about that employee -- including (get this) unencrypted social security numbers.
Based on the sketchy information OPM has provided, we believe that the Central Personnel Data File was the targeted database, and that the hackers are now in possession of all personnel data for every federal employee, ever federal retiree, and up to one million former federal employees. We believe that hackers have every affected person's Social Security number(s), military records and veterans' status information, address, birth date, job and pay history, health insurance, life insurance, and pension information; age, gender, race, union status, and more.
Oh, and then there's this:
Worst, we believe that Social Security numbers were not encrypted, a cybersecurity failure that is absolutely indefensible and outrageous.
The letter further points out -- as we did last week -- that the 18 months of credit monitoring the government has offered everyone is a complete joke. It's unlikely that the hackers are looking to do identity fraud for financial gain -- and quite likely this is for espionage purposes.

But, let's go back to the Social Security numbers being unencrypted for a second. Remember, this hack is already being used by intelligence system defenders to argue for why we need stronger "cybersecurity" laws that will give the NSA and FBI much greater access to Americans' data.

And, yes, this would be the very same FBI that has actively argued against encryption. And the NSA has always hated encryption and insists it needs backdoors into any encryption.

Both of these organizations strongly support "cybersecurity" legislation, claiming that it's necessary so that the US government can "help" companies dealing with "critical infrastructure." And yet, here we are, with the government's own personnel files being held in a system without encryption that was hacked and copied by (likely) foreign hackers. And we're supposed to trust two government agencies who have been going around cursing encryption, that we should give them more access to "protect us" when another government agency's attack likely could have been prevented if they'd just used encryption?

As plenty of cybersecurity experts will tell you, the problem in the security realm is not "information sharing." It's people doing stupid things in how they setup their systems. Not encrypting the employee files for every government employee seems to fit into that category. Perhaps, rather than focusing on bogus "cybersecurity" legislation to give more power to the idiots shouting against encryption, we should have the government focus on getting its own house in order, including encrypting employee data.

Reader Comments

The First Word

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 12 Jun 2015 @ 7:59am

    So they want to be able to collect more data and they want it to be more easily accessible by foreign hackers?
    That makes sense

    reply to this | link to this | view in chronology ]

    • icon
      Chronno S. Trigger (profile), 12 Jun 2015 @ 8:10am

      Re:

      It makes perfect sense if you're trying to start a war. Gather all critical data in one insecure location, wait until it inevitably gets hacked, use hacking as justification.

      Seriously, the US news is starting to sound like a plot for a bad action movie.

      reply to this | link to this | view in chronology ]

  • identicon
    LOYALL AMERCAIN, 12 Jun 2015 @ 8:03am

    IS RUSSIA HACKING FOR IS PROPAGANDING!

    IS TROO! Just ask Karl "Russia propaganding teh internets" Bode!
    This BODES ILL!

    HEY, WAIT. What TROO Amercain spells "Carl" JUST LIKE KARL MARX!? -- KRAP! RUSSIAN GOT KARL!

    reply to this | link to this | view in chronology ]

  • This comment has been flagged by the community. Click here to show it
    identicon
    LOYALL AMERCAIN, 12 Jun 2015 @ 8:05am

    IS RUSSIA HACKING FOR IS PROPAGANDING!

    IS TROO! Just ask Karl "Russia propaganding teh internets" Bode!
    This BODES ILL!

    HEY, WAIT. What TROO Amercain spells "Carl" JUST LIKE KARL MARX!? -- KRAP! RUSSIAN GOT KARL!

    reply to this | link to this | view in chronology ]

  • identicon
    Jack, 12 Jun 2015 @ 8:07am

    Does ProtectMyID's insurance kick in if you get arrested for espionage because some Chinese spook was a little sloppy when using your identity to compromise national security?

    I feel bad for anyone who looks like they might have Asian ancestry or a name that sounds vaguely Chinese - the next few years are really going to suck for them. But hey, at least the next time Target gets hacked and their data shows up for sale on some shady Tor site, they'll find out about it, while probably sitting in a jail cell.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 12 Jun 2015 @ 8:26am

      Tin Foil Hat Engaged

      This was obviously a false flag operation by the NSA so that government agents can do anything they want and if caught, will claim it as a foreign operative that stole their identity via this hack.

      reply to this | link to this | view in chronology ]

  • identicon
    Lawrence D’Oliveiro, 12 Jun 2015 @ 8:10am

    What’s So Secret About Social Security Numbers, Anyway?

    Are the people who designed them so stupid they were unaware of Kerckhoffs’s principle?

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 12 Jun 2015 @ 8:38am

      Re: What’s So Secret About Social Security Numbers, Anyway?

      Maybe not stupid but whoever came up with the concept of designating the office that issued the number provided fodder to all the conspiracy theorists.

      (For those that don't know: until recently the first 3 numbers of the SSN designated the office that issued the number. Because most people got their number from the office in the city or county they were born in everybody thought the number was coded for their birth area.)

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 12 Jun 2015 @ 9:07am

      Re: What’s So Secret About Social Security Numbers, Anyway?

      The problem is not that they are particularly secret. The problem is that they are used as if they were both secret and an authentication token. You could eliminate some, maybe many, of the financially motivated hacks if you passed a law that did two things:

      (1) Amend liability laws to provide that any organization which uses SSN as sufficient proof of identity is considered negligent for the purpose of verifying identity. If an organization issues credit (whether credit card, bank transfer, bank loan, insurance payment, etc.) solely because the recipient knew a name+SSN pair, then they cannot avail themselves of any legal processes to try to collect from the actual owner of that SSN. This would effectively outlaw relying on the SSN for financial transactions, since no organization that continued to rely on it could collect payments due to it. Any organization that did not update their identity verification mechanism could be legally defrauded by anyone who knew a name+SSN mapping, with no recourse by the organization.
      (2) Direct the Social Security Administration to publish a full list of all the name to SSN mappings, for every person with a number, living or dead. Going forward, new numbers would be published when issued (or on some convenient schedule, such as a monthly dump of all numbers issued since the last dump). The big dump would come a specified number of months (say, 6-12) after the liability change kicks in. After the data dump begins, defrauding defective organizations would be easy. Widespread lawful fraud would compel them to switch to a better mechanism.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Anonymous Coward, 12 Jun 2015 @ 8:18am

    In kind services

    When the NSA is no longer allowed to view American information directly, or GCHQ to view British information directly, it will be necessary to allow GCHQ easy access so they can trade information with each other. Encryption just makes life more difficult. Isn't this what trade agreements are all about anyway?

    Besides, whomever hacked this database now has a fairly complete list of US Government sponsored terrorists who spend their time denying the fact that they are the terrorists.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 12 Jun 2015 @ 8:22am

    Unencrypted SSNs in a database. And here I thought we'd put the Stupid Ages behind us. I guess it's true what they say: a leopard can't change its underwear.

    reply to this | link to this | view in chronology ]

  • icon
    Gumnos (profile), 12 Jun 2015 @ 8:29am

    Thank goodness…

    Phew, thank goodness that the use of SSNs is limited to the designated purpose, not as some nation-wide identifier used for any and all other purposes. Oh, wait. Crap.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 12 Jun 2015 @ 8:48am

    We definitely are not firing enough people.

    reply to this | link to this | view in chronology ]

  • icon
    vegetaman (profile), 12 Jun 2015 @ 8:53am

    On a side note about SSNs...

    Maybe we can finally stop using SSNs as a unique identifier for people, or pretend it confirms someones' identity, since every company seems to request/require/have access to people's SSNs (and then treat that access with the type of non-chalant, non-caring attitude we've come to expect in the cyber security age).

    reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 12 Jun 2015 @ 9:16am

      Re: On a side note about SSNs...

      Yes. One thing about social security numbers that most people don't seem to know is that they're not anywhere close to being a secret. It's very easy to get almost anyone's SSN.

      By the way, with a few exceptions centered around businesses that are required to report to the government, no business can legally demand your SSN. Most businesses that ask for it will assign a different ID number to you if you refuse to provide it. Some even tell you that on their forms.

      reply to this | link to this | view in chronology ]

  • identicon
    OnceWorkedForOPM, 12 Jun 2015 @ 8:56am

    Follow the Money

    Just a comment on this, since it's making lots of news. The letter is from the Employee's Union. Not a tech export or anyone involved in the investigation. They are making noise because they want more money\compensation for the employees. They don't have any more inside information than anyone else.

    Read the letter - he is claiming that they "suspect" this based on "sketchy information". He then uses his suspicioin to begin to make the case that the employees (the union?) need more info\money\power.

    This is Washington, folks. Follow the money. This wasn't someone who knows more than the people working the hack. This was a political move. Doesn't mean it's not much worse than OPM knows or has admitted; doesn't mean it is. Just be careful and think it through.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 12 Jun 2015 @ 9:03am

    Time to check the logs very very carefully, and very very thoroughly monitor all databases where an SSN is linked to a photograph. Extra care in log examination and monitoring if the system allow query by SSN.databases when an SSN is linked to a photograph. Any government spy agency would be very careful not to tip its hand until it had gathered all the information that it could before acting on identified people on the US payroll within its borders.

    reply to this | link to this | view in chronology ]

  • identicon
    Stosh, 12 Jun 2015 @ 9:09am

    Not to worry, Obama has made a deal with the identity thieves, no charges so long as they vote demoncrat.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 12 Jun 2015 @ 9:12am

    It is an essential feature.

    Of course the data is unencrypted. It is an essential function to access the data in the database:
    1. Someone in the AFGE wants to access data on a federal employee.
    2. Big Ass Golden Key for Everyone(BAGKE), is used by a hacker to copy the data in the database.
    3. As the data is traveling along the backbone, the data is then copied once again by the NSA and relayed to whoever was asking for that data.

    As you can see, encryption would clearly be in the way and make it much harder to find the right data on the backbone. Trust me... I am an expert.

    reply to this | link to this | view in chronology ]

  • icon
    Steve Swafford (profile), 12 Jun 2015 @ 9:41am

    Is it out of line to want every single one of those living federal employees to file a law suit again the federal government? I'd love to see that.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 12 Jun 2015 @ 9:42am

    Oh, it's MUCH worse than merely SS numbers

    It appears that the hackers got their hands on the employees' SF-86 forms. That's the piece of paperwork involved in background checks, and it contains VAST amounts of information not only about the employee, but family, friend, neighbors, colleagues, any foreign nationals they come into contact with, etc.

    There's stuff in there about employment. About sex practices and partners. About any brushes with law enforcement. About EVERYTHING.

    If you were looking for people to blackmail and for information to do it with, this is the paperwork you'd want.

    And that "foreign national" part has implications too, as there are a number of governments on this planet that might choose to go after their own citizens based on association with people employed by the US government.

    The failure here is stunning. Those forms shouldn't be merely encrypted, they should be on airgapped computers so that acquiring them requires physical access plus hacking those systems plus breaking the encryption. Heck, they should probably be encrypted with an N of M cipher (that is, one that uses M keys and requires that N, N

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 12 Jun 2015 @ 12:01pm

      Re: Oh, it's MUCH worse than merely SS numbers

      And so it was, that the Federal government learned the hard way, that databases full of people's secrets can be used to hurt those people very badly.

      reply to this | link to this | view in chronology ]

  • icon
    Roger Strong (profile), 12 Jun 2015 @ 10:01am

    a few weeks after the initial report, we would find out that the leak was even worse than originally reported.

    A friend once took a temporary job in the Alaska office of a large national charity, to cover an accountant who was on vacation. She discovered that the accountant had been embezzling. It was a MAJOR disaster for the charity, as the news would affect further donations and funding.

    "Luckily" the Exxon Valdez had recently hit a rock, and they got to talk to the PR firm brought in to clean up the mess.

    The advice: Release ALL the information, every last detail, all at once. It would get the same amount of coverage on day one regardless, and on day two it would be old news. With no further information to be leaked, nothing new to report, there would be no new headlines.

    This is why WikiLeaks and the folks holding Snowden's documents prefer a slow trickle of releases. One big release would make headlines on day one, and the vast majority of the information would be unreported and overlooked. A slow, steady release of documents means that each is a fresh story, to get new coverage in the press.

    It's a lesson that those with a big "data leaks" should learn.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 12 Jun 2015 @ 10:14am

    What's the big deal?

    It's just third party data. It's not like we should have any expectation of privacy when it comes to third party data, right?

    reply to this | link to this | view in chronology ]

  • identicon
    SoFukinScrewed, 12 Jun 2015 @ 10:20am

    Encryption

    Of course the data is unencrypted. Encryption is only used by kidnappers, terrorists, and pedophiles.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 12 Jun 2015 @ 12:22pm

    I am so glad to hear that all of these social security numbers are unencrypted, because it's important we work with companies and agencies to "prevent encryption above all else". Just imagine the egg of the FBI's face if after all their perfectly justified claims about how encryption only helps the terrorists and child molesters, if it turned out that this data held by the US government was encrypted.

    Crisis averted. Thanks Michael Steinbach and William Crowley. Enjoy your brave new world.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 12 Jun 2015 @ 12:56pm

      Re:

      There is just one problem:
      The way this is gonna be spun out is not that the data wasn't encrypted, but rather that this happened because hackers are bad and foreign hackers are the worst. They will then insist that in order to catch such people, they need more access and less encryption, as if anyone will automatically obey these rules.
      There will never be any apology or admission of any bad judgement or sloppiness from their part, only ever accusations of others and the constant pushing for more power.

      reply to this | link to this | view in chronology ]

  • icon
    Web_Rat (profile), 12 Jun 2015 @ 1:52pm

    Wait a minute, really folks what is all the fuss about? Sure our own duly elected government has embarked on and expanded non-warranted collection of data on its very own citizens. And yes, the government proclaims any information you may have involving a 3rd party has no expectation of privacy. Furthermore federal officials are bemoaning the fact that encryption without a government sanctioned "backdoor" will cripple the war on terrorism.

    Everyone seems to be forgetting that Obama promised to have the most transparent administration in the history of the United States.......

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 12 Jun 2015 @ 10:34pm

    This hacking is a victory James Comey. We don't need no stinking encryption!

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Special Affiliate Offer
Anonymous number for texting and calling from Hushed. $25 lifetime membership, use code TECHDIRT25
Report this ad  |  Hide Techdirt ads
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.