Hack Of Federal Gov't Employee Info Is Much, Much Worse Than Originally Stated: Unencrypted Social Security Numbers Leaked

from the because-that's-how-this-works dept

Over a decade ago, I pointed out that every single time there were reports of big "data leaks" via hacking, a few weeks after the initial report, we would find out that the leak was even worse than originally reported. That maxim has held true over and over again. And, here we go again. Last week, we noted that the US government's Office of Personnel Management had been hacked, likely by Chinese hackers. And, now, it has come out that the hack was (you guessed it) much worse than originally reported.

The President of the union that represents federal government workers, the American Federation of Government Employees (AFGE) sent a letter to the director of the OPM, claiming that the hackers got away with the Central Personnel Data File, which includes full information on just about everything about that employee -- including (get this) unencrypted social security numbers.
Based on the sketchy information OPM has provided, we believe that the Central Personnel Data File was the targeted database, and that the hackers are now in possession of all personnel data for every federal employee, ever federal retiree, and up to one million former federal employees. We believe that hackers have every affected person's Social Security number(s), military records and veterans' status information, address, birth date, job and pay history, health insurance, life insurance, and pension information; age, gender, race, union status, and more.
Oh, and then there's this:
Worst, we believe that Social Security numbers were not encrypted, a cybersecurity failure that is absolutely indefensible and outrageous.
The letter further points out -- as we did last week -- that the 18 months of credit monitoring the government has offered everyone is a complete joke. It's unlikely that the hackers are looking to do identity fraud for financial gain -- and quite likely this is for espionage purposes.

But, let's go back to the Social Security numbers being unencrypted for a second. Remember, this hack is already being used by intelligence system defenders to argue for why we need stronger "cybersecurity" laws that will give the NSA and FBI much greater access to Americans' data.

And, yes, this would be the very same FBI that has actively argued against encryption. And the NSA has always hated encryption and insists it needs backdoors into any encryption.

Both of these organizations strongly support "cybersecurity" legislation, claiming that it's necessary so that the US government can "help" companies dealing with "critical infrastructure." And yet, here we are, with the government's own personnel files being held in a system without encryption that was hacked and copied by (likely) foreign hackers. And we're supposed to trust two government agencies who have been going around cursing encryption, that we should give them more access to "protect us" when another government agency's attack likely could have been prevented if they'd just used encryption?

As plenty of cybersecurity experts will tell you, the problem in the security realm is not "information sharing." It's people doing stupid things in how they setup their systems. Not encrypting the employee files for every government employee seems to fit into that category. Perhaps, rather than focusing on bogus "cybersecurity" legislation to give more power to the idiots shouting against encryption, we should have the government focus on getting its own house in order, including encrypting employee data.

Filed Under: cybersecurity, federal government, leaks, opm, social security numbers, unencrypted

Reader Comments

The First Word

Subscribe: RSS

View by: Time | Thread

  1. identicon
    Anonymous Coward, 12 Jun 2015 @ 9:07am

    Re: What’s So Secret About Social Security Numbers, Anyway?

    The problem is not that they are particularly secret. The problem is that they are used as if they were both secret and an authentication token. You could eliminate some, maybe many, of the financially motivated hacks if you passed a law that did two things:

    (1) Amend liability laws to provide that any organization which uses SSN as sufficient proof of identity is considered negligent for the purpose of verifying identity. If an organization issues credit (whether credit card, bank transfer, bank loan, insurance payment, etc.) solely because the recipient knew a name+SSN pair, then they cannot avail themselves of any legal processes to try to collect from the actual owner of that SSN. This would effectively outlaw relying on the SSN for financial transactions, since no organization that continued to rely on it could collect payments due to it. Any organization that did not update their identity verification mechanism could be legally defrauded by anyone who knew a name+SSN mapping, with no recourse by the organization.
    (2) Direct the Social Security Administration to publish a full list of all the name to SSN mappings, for every person with a number, living or dead. Going forward, new numbers would be published when issued (or on some convenient schedule, such as a monthly dump of all numbers issued since the last dump). The big dump would come a specified number of months (say, 6-12) after the liability change kicks in. After the data dump begins, defrauding defective organizations would be easy. Widespread lawful fraud would compel them to switch to a better mechanism.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.