Ride the Lightning

The OPM Hack is Far Worse Than Initially Thought

June 15, 2015

A new security maxim? Every big hack discovered will eventually prove to be more serious than first believed. As Wired reported, that's especially true with the recently disclosed hack of the federal Office of Personnel Management, the government’s human resources division.

At first, the government told us that the breach compromised the personal information of about four million people, information such as Social Security numbers, birthdates and addresses of current and former federal workers.

Now it turns out that the hackers, thought to be Chinese state-sponsored hackers, also accessed SF-86 forms, documents used for conducting background checks for worker security clearances, including military and intelligence applicants. The forms can contain a wealth of sensitive data not only about workers seeking security clearance, but also about their friends, spouses and other family members. They can also include potentially sensitive information about the applicant’s interactions with foreign nationals—information that could be used against those nationals in their own country.

The government also told us that the government's EINSTEIN detection program had uncovered the hack. That wasn't true either. Einstein failed. The Wall Street Journal reported that the breach was actually discovered during a sales demonstration by a security company named CyTech Services (paywall), showing the OPM its forensic product.

It is now thought that some 14 million people may have been affected by the breach.

The 127-page SF-86 forms believed to have been accessed by the hackers also include financial information, detailed employment histories—with reasons for past terminations included—as well as criminal history, psychological records and information about past drug use. Yikes. What a huge collection of data that could be used to blackmail people.

If the breached background check information goes beyond the SF-86 form, it could even include detailed personal profiles obtained through polygraph tests, in which employees are asked to confess law breaking and sexual history. SF-86 forms can include a list of foreign contacts with whom a worker has come in contact. Diplomats and other workers with access to classified information are required, depending on their job, to provide a list of these contacts. There is concern that if the Chinese government has lists containing the names of Chinese nationals who were in touch with U.S. government workers, this could be used to blackmail or punish them if they had been secretive about the contact.

The OPM had no IT security staff until 2013 – are you KIDDING me????

The agency was harshly criticized for its lax security in an inspector general’s report released last November that cited its lack of encryption (once again, are you kidding?) and the agency’s failure to track its equipment. Investigators found that the OPM failed to maintain an inventory list of all of its servers and databases and didn’t even know all the systems that were connected to its networks. The agency also failed to use multi-factor authentication for workers accessing the systems remotely from home or on the road. Are we that stupid about protecting data which may impact national security? Apparently so.

Of course, the OPM has offered victims credit monitoring which is a joke in light of the dangers to which many people are now exposed. I hope OPM director Katherine Archuleta gets a pink slip very soon.

E-mail:    Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
http://www.senseient.com
http://twitter.com/sharonnelsonesq
www.linkedin.com/in/sharondnelson