More Than 22 Million People's Data Compromised By OPM Hack

OutOnARock writes with news that the Office of Personnel Management data breach reported earlier this month was actually far worse than earlier estimates had it; in all, it seems that more than 22 million people (not all of them government employees) had personal information compromised by the breach. From Yahoo News's coverage: That number is more than five times larger than what the Office of Personnel Management announced a month ago when first acknowledging a major breach had occurred. At the time, OPM only disclosed that the personnel records of 4.2 million current and former federal employees had been compromised.

Torches and Pitchforks!

Peasants you know what to do!

Anybody rich?

What's their bank account number?

Would this have happened had they used OpenBSD?

We need to ask ourselves, would this incident have even happened if they had been using OpenBSD? It's hard to say for sure, since details about this incident are scant. But we do know that OpenBSD is designed from the ground-up to be as secure as possible, and its developers put an immense focus on security. It has proven itself to be among the most secure, yet still practical, operating systems, if not the most secure for general-purpose computing. So when one has to put together a server or even an entire network, and security is a real concern, then I think that OpenBSD is the only viable option available.

Re:Would this have happened had they used OpenBSD?

[chill]

Answer: Yes.

It was a phishing exploit that captured credentials of a valid user. It wasn't a technical compromise. It was social engineering facilitated by technology.

You can't protect that with better code.

I should've stayed unemployed...

[__aaclcg7560]

My two-hour background investigation interview lasted four hours because the bureaucrats in Washington couldn't understand how one person can have multiple jobs. After being out of work for two years (2009-2010), underemployed for six months (working 20 hours per month) and filing for Chapter Seven bankruptcy in 2011, don't you think a person would work a regular Monday-Friday job and a weekend job to get his finances in better shape? Meh...

Enjoy my case file, hackers! I hope your head explodes from my employment misery!

Re: I should've stayed unemployed...

Very soon you will be able to read all the gory details of Obama's and Merkel's medical records on wikileaks.

What did the ex NSA man Binney say ? If it is connected, it can and will be hacked. These systems are ALL connected these days. With some funny firewalls in between, but that only stops the casual attackers.

Brought to you by the control freakery of Anglo Government. "we need to be able to look in ALL computers. Terrists could hide in there".

the internet is an open book

[turkeydance]

for everyone to read

One out of three US citizens

I believe that brings the total number of people compromised in the past few years up to about, oh, a hundred million.

Re:One out of three US citizens

[speedplane]

We should build a database of people who have not yet been compromised. It'll be easier to keep track of.

Re: One out of three US citizens

but then of course that database would be compromised.

Not the Mil TLD side

[WillAffleckUW]

Only the Civ Gov side.

So, only one of the five spy agencies you know about.

Re:Not the Mil TLD side

[StikyPad]

Eh?

1) The IC comprises 17 agencies. That's not a secret. Anymore, at least.
2) Some of those agencies use OPM for background investigations, and some don't. I can tell you that the distinction is not strictly military/"civilian" though.
3) Some (not a small number) of the people that work at those agencies have pre-existing background investigations from prior employment, be it military, civilian, or contractor. It's not an impossible task to use data mining to map past background investigations to current employees at those agencies once you have those records, especially for overt employees.

Also, this impacted the FBI's employees, so that by itself is a huge national security issue, since they have access to a lot of the same information that the IC does.

Honestly, though, this is only the most visible OpSec failure. It's likely that our "non allies" -- Russia and China -- already have our intelligence agencies fairly well mapped out just from surveillance and humint, let alone sigint. That's the easy part. Finding out what we know and don't know is a bit tougher, but nothing's impossible. The payoffs of espionnage are large and the risks are relatively low in nation-state terms. I would be shocked if they don't know at least as much about us as we know about them, if not more, because we are far and away the biggest and most lucrative target on the world stage, and there's no such thing as perfect security.

But that's not such a bad thing, to be honest. For the most part, we have a high degree of integrity in our foreign policy (relative to most other nation-states, if not in absolute terms), and we don't try to hide our agenda. They're not going to discover that we have secret plans to invade Mexico, or that our NATO missile defense system is really setting the stage to invade Russia. And it's no secret that we have the capability to defend ourselves, so even finding chinks in our armor isn't going to negate the fact that we have the world's largest Navy, we're fully capable of crippling retaliatory strikes through a plethora of means.

Our real weakness is well known -- we allow ourselves to get baited into spending vast resources on what are ultimately inconsequential conflicts: Korea, Vietnam, Afghanistan, Iraq II, and now ISIS. None of these were legitimate threats to our national security on a significant scale, but we treat them as though they were, out of pride or something. We lose a pawn and we chuck the board aside and turn it into a deathmatch. That's our real weakness. Pride.

Re:Not the Mil TLD side

[MtnDeusExMachina]

Kudos. This is on the money. One of the best postings I have ever read on /.

Re: Not the Mil TLD side

What a rosy picture. Millions of dead Syrians and Iraqis beg to differ. You do indeed somtimes have some dark crimimal intentions. But that concept is not a secret either.

Super Secure NSA protects america!

22 million government workers get hacked probably because some anus site got SQL injected.

The NSA spends no time auditing it's own systems to protect American citizens, and All of it's time spying on Americans and "terrorists"

If the NSA's mission is to truely defend America, how come sensitive government systems are still prone to SQL injection?

Let this all sink in.

Re:Super Secure NSA protects america!

[DarkOx]

I think that is the problem the NSA's mission isn't defense its offense largely. We don't really have a cyber (ugh I can't believe I just wrote that word) defensive force. We probably should but we leave that to 'domestic' agencies like the FBI and other groups we rolled up into Homeland Security.

Remember the "Department of Defense" (although there were some other reorganizations and mergers) was essentially created by renaming the "War Department" because its politically more palatable to have a "defense" department than a "war" department.

I think it is reasonable to have a group with the NSA's offensive mission so that we have the capability. I think its also clear we don't need that group to be the size and scale of the NSA; at least not when its in addition to the CIA.

Personally I think the sensible thing to do is disband NSA. Move some of the signals intel assets into CIA and possibly some in Army/Navy/Air-force as appropriate for task. What is left over should be re-tasked to actually defending and improving our computer security posture and probably turned into a new but small agency with a narrow mission statement and shoved under the homeland security umbrella. I'd say put in the FBI but that isn't really right because again the FBI's core mission is one of offense even if it is against domestic threats. In fact maybe we should part out the FBI a little bit too, moving some of the their fraud prevention and type efforts into again a smaller defensively focused group.

A lot of the problems we have with these agencies are culture and mission creep problems. Yes 9/11 showed us we need to be careful about erecting to many walls between our agencies. Which is why we created Homeland Security and parent department what should be coordinating information sharing. If we had smaller more narrowly focused groups with separate budgets power and money would be more diffuse it would keep one director or group of administrators from going off the rails and having such large pools of money to do insane things with like recording and storing meta data for every call make everywhere. Yet these groups could still have a culture of collaboration and information sharing possibly a way to directly refer cases to each other etc. They could still be effective without getting crazy.

More importantly and more to the point here. People in those groups would have a much clearer understanding of "the mission" and not have to deal with so many impedance mismatches. They and us would be able to do a much better job at assessing how effective they are.

Re:Super Secure NSA protects america!

Wrong.

I bet there are personal Referees, managers, parents, health professionals and trust account details.That number is still an underestimate.
Managers should be fired for putting buggy unfinished solutions in production. What - no heads have rolled yet?

Re:Super Secure NSA protects america!

[myowntrueself]

22 million government workers get hacked probably because some anus site got SQL injected.

The NSA spends no time auditing it's own systems to protect American citizens, and All of it's time spying on Americans and "terrorists"

If the NSA's mission is to truely defend America, how come sensitive government systems are still prone to SQL injection?

Let this all sink in.

If the NSA actually protected US citizens from being hacked how would the other 4 eyes of the 5 eyes treaty spy on Americans?? Don't be stupid, part of the NSAs job is to make SURE that you can be hacked by the other 4 eyes (CSIS, ASIS, NZSIS and GCHQ).

Names and actual idenities of spies

[ebonum]

This database should contain all the personal details on spies. If this was stolen by China, why haven't we heard about every spy being pulled out of China and Russia? They are friend-enemies after all.

Any chance this hack done by the NSA to help get more funding and show the Americans how much they are needed to keep us safe? The NSA would know all the details of how the OPM works. Easy target.
Go into a big Chinese bank. What do you see? Most of the computers used for operations are still running XP. Hacking old Win 2003 servers in China from the US might not be very difficult. There are A LOT of Win 2003 servers in China. If you use these computers to launch an attack, who isn't going to believe those uber-smart Chinese have hacked us again?
If the Chinese actually have this data, there should be a huge reaction. I haven't see it. 1,000's to 10,000's of Americans at the embassies and working abroad should have run back to the US on very short notice. We should be hearing how our spying has been set back 20 years. Things are WAY too quiet It doesn't make sense to me.

Re:Names and actual idenities of spies

[CrimsonAvenger]

Paranoia getting the better of you?

First off, it would take a particularly stupid intelligence agency to keep its personnel records on OPM computers where just anyone could see them.

Secondly, unless you're absoutely sure who has the information, you don't confirm it for the world by a quick (over-)reaction.

And thirdly, why do you think YOU would notice what the government was doing with its embassies? If it were doing something abnormal, would you even recognise it as "something abnormal"?

Re:Names and actual idenities of spies

I agree. Smells like a false flag to drum up funding for the NSA.

Re:Names and actual idenities of spies

[AHuxley]

Russia and China dont have to care. They think very long term and have all their real contacts in cleared US gov/mil position going back generations and many decades.
They trust their own contacts within the US system and have fully tested them going back decades.
Russian and China also understand the "Limited hangout" https://en.wikipedia.org/wiki/... of any bulk files.
How many US mil traps and gems are really in that data? Go looking over bulk data and what for?
Russia and China have always understood where and how to find US staff they needed or have been open to US walk ins.
Any digital data like that from the US will be loaded with fake data every day that looks so good until it is "found".
Reverse lookups would be the most simple thing to look for in the USA and plant in any vast amounts in all US databases.
Russia would not use/risk any staff or network to look at bulk data.
Everything interesting would have been quickly changed by the US mil and anything could be a US trap.

Re:Names and actual idenities of spies

[Charliemopps]

Paranoia getting the better of you?

That's the first problem when you have an agency like the NSA. There's absolutely nothing to stop them from doing something like this and arguing later that it was for national security.

First off, it would take a particularly stupid intelligence agency to keep its personnel records on OPM computers where just anyone could see them.

This is the second problem when you have an agency like the NSA. You believe, like in the movies, all the top talent is there and nothing like this could happen. But in reality, all the talent that's willing to do what their told without question is what's there. Quality may not be their strong suit, and again, this is the feds. They invented the term "Fubar"

Secondly, unless you're absolutely sure who has the information, you don't confirm it for the world by a quick (over-)reaction.

They are going to torture and murder your employees. How exactly are you supposed to react?

And thirdly, why do you think YOU would notice what the government was doing with its embassies? If it were doing something abnormal, would you even recognize it as "something abnormal"?

I agree with you on this point. I'm assuming they moved whatever they could out of harms way before we even heard of this attack. They might have even discovered the attack because they lost a few people and figured out there was a leak.

Re:Names and actual idenities of spies

This database should contain all the personal details on spies.

Nope. CIA does its own background checks and keeps the data on its own systems. It doesn't use OPM for that.

Re:Names and actual idenities of spies

[AHuxley]

Re "Secondly, unless you're absoutely sure who has the information, you don't confirm it for the world by a quick (over-)reaction.
And thirdly, why do you think YOU would notice what the government was doing with its embassies? If it were doing something abnormal, would you even recognise it as "something abnormal"?"
Most other nations do really try to really count every passport in and out and do have working, fully updated databases, other paper work and tax systems to track every worker.
Most nations do have fully funded and expert border controls, tax systems, passport reconciliation, facial recognition to help with just such issues surrounding all workers from other nations.
If a US backed clandestine "front" NGO, firm, educational, consulting, faith based charity, contractors started moving expert US staff out, positions would have to be filled and most nations could track that slight, unexpected, daily, rapid change to longer term staff.
Gossip within the expert expatriate community is tracked like any other community.

Re:Names and actual idenities of spies

[catsRus]

I agree. Smells like a false flag to drum up funding for the NSA.

We already pay the NSA to secure the communications and .gov systems, wonder what they did with all that money?

Re:Names and actual idenities of spies

[bitingduck]

NSA doesn't need to do any of that. Their budget is made up of money laundered through programs with boring names so nobody can tell what they get anyway.

And if they want the data all they have to do is ask OPM. Or offer to store backups for them. The privacy act protections are almost nonexistent and completely worthless.

Re:Names and actual idenities of spies

> They are going to torture and murder your employees. How exactly are you supposed to react?

Unlikely. They're going to try to turn your employees...

Re:Names and actual idenities of spies

[DarkOx]

personnel records on OPM computers where just anyone could see them

Would it. That information is still needed. Paychecks have to get cut etc. All these clandestine people need some kind of cover. So why not give them "jobs" as administrative employees in what everyone already understands to be a giant bureaucracy. That way if anyone inside or outside goes looking for information they find exactly what they expect.

Re:Names and actual idenities of spies

[notea42]

Wrong - the CIA keeps its own records separate, for exactly this reason. FBI, DoD, and Contractors however were screwed by this.

Re:Names and actual idenities of spies

[myowntrueself]

Russia and China dont have to care. They think very long term and have all their real contacts in cleared US gov/mil position going back generations and many decades.

That is their strength compared to the democracies of the west. The democratic powers can only plan maybe 8 years ahead (if they are feeling very confident).

Re:Names and actual idenities of spies

[AHuxley]

Re "can only plan maybe 8 years ahead (if they are feeling very confident)."
The West could not even hold the one type of database it really, really, really had to hold as a good secret away from random, fast, open public networks.
So some cleared contractor could go to some out of state jobs fair, find some needed translator or skilled expert and get them cleared to start work sooner to bid on some federal task 'sooner'...
Just so the private sector could feel more happy about getting more federal funding quicker in the digital world.
In the past the US understood how to keep all that vital info split. No one walk out event would give any person anything too vital.
Even East Germany understood that simple database reality when putting its new spy networks together after the West got its entire list of agents.
Keep files seperated and make sure any person wanting to connect files has to face a few real humans if they want to connect files and had a very good reason as to why.
East Germany lost its final digital spy database again to the CIA years later when the its new digital archive was fully recovered.
Yet with all the real world historic understanding the US still thought it was a great idea to just network that kind of data...
All the US can do is task the GCHQ, NSA, ASD, GCSB with every bit of related data and hope the data gets reverse searched...on some network at some time
Double secret limited hangout.

Re:Names and actual idenities of spies

[ZeroWaiteState]

I doubt even the NSA could answer that question.

Re:Names and actual idenities of spies

[MtnDeusExMachina]

Limited hangout is wishful thinking. Anyone who is any good at this game gets everything they want from the limited hangout, regardless of the intent to deceive. Even misleading, incomplete, or deceptive data is still data.

Anybody have secret information about the USA?

Money? Forget money.

This is about the Chinese using blackmail against government employees with security clearances. They're on a war-footing.

If only there were some person responsible for making sure the USA were protected against these sorts of threats.

Re:Anybody have secret information about the USA?

Don't believe the fairytale bullshit. War is about money, always.

Re: Anybody have secret information about the USA?

It is american technology, deliberately weakend, which enabled this.

Your own made medicine does not taste well ? Boohoo.

compromized (sp?)

Even FireFox textarea elements spell check for you. Maybe timothy is using IE6?

Why did the US even allow such a database?

[AHuxley]

The US gov seemed to have really understood all the issues the UK and other nations had with selecting and sorting cleared staff from the UK security issues of the 1930's to 1980's.
Full background interviews, real cleared US gov staff looking deep into a persons submitted life story and the looking at the facts on the ground anywhere in the US.
Life story, education, friends, mail, reading material, calls logs all allowed the US gov to select the more useful and smart people for sensitive positions.
Over the past decade the move was to finding staff with unique skills quickly and trying to ensure US security paperwork was not going to be any issue for contractors, ex staff, former staff, people moving from the private sector into gov or gov into the private sector. All while keeping or re using past security access.
The US gov and mil could ensure skilled staff from the public and private sector where ready, could be found and sorted regionally and quickly for any task in or out of the USA.
The problem for the US gov is it needed so many contractors quickly and hoped remote digital files could 'clear' a boss and their new company or past contractor/mil/gov staff for new gov/mil/contractor work.
Vast new online digital databases allowed for lucrative jobs to be handed out and any security issues to fixed quickly.
The down side of this rapid system what what is what was fully understood by the US, UK, Australian and many other nations since the 1950's from their WW2 and 1930's security issues. Dont hire or create security in haste and keep the files away from all other people in gov, mil, private sector and other nations. How or why the US gov ever let go if its most secure files for national remote access is a real mystery.
Other nations who kept their files safe from new contractors needs and within the gov seemed to have understood the issues of rapid security expansion expansion and all the remote database issues. Why did the US gov and mil think it was a good idea or safe to allow complex files of that nature to just move regional and national networks from the mid 1990's on?

Re:so what

Love won, and bigots lost. Cry some more, bigot.

Wait until they hack Obamacare's DB

[BoRegardless]

That will happen. It is only a matter of time.

Re:Wait until they hack Obamacare's DB

To what end? Those aren't exactly people ripe for identity theft. You'd have a bunch of low-credit, low income people who couldn't get a high interest car loan, much less be of use to anyone in China.

No more NSA

[Charliemopps]

So the NSA is clearly useless, and making the situation worse. They are not, and cannot protect us electronically. Instead, they are collecting all of our information and storing it for the inevitable hack that will give it to the rest of the world. The first question I ask when I'm asked to secure data is: "Do we actually need this data?" You can't steel what doesn't exist. Why the hell did this agency have data on people going back to the 1980s? Why is the NSA collecting data on all of us? It's a pointless endeavor that's putting us all at risk.

Re:No more NSA

Did someone say NSA? I hear there's a new Microsoft NSA certification.

July 31, 2012

Microsoft (MS) began encrypting web-based chat with the introduction of the new outlook.com service. This new Secure Socket Layer (SSL) encryption effectively cut off collection of the new service for FAA 702 and likely 12333 (to some degree) for the Intelligence Community (IC). MS, working with the FBI, developed a surveillance capability to deal with the new SSL. These solutions were successfully tested and went live 12 Dec 2012. The SSL solution was applied to all current FISA and 702/PRISM requirements - no changes to UTT tasking procedures were required. The SSL solution does not collect server-based voice/video or file transfers. The MS legacy collection system will remain in place to collect voice/video and file transfers. As a result there will be some duplicate collection of text-based chat from the new and legacy systems which will be addressed at a later date. An increase in collection volume as a result of this solution has already been noted by CES.

March 15, 2013

SSO's PRISM program began tasking all Microsoft PRISM selectors to Skype because Skype allows users to log in using account identifiers in addition to Skype usernames. Until now, PRISM would not collect any Skype data when a user logged in using anything other than the Skype username which resulted in missing collection; this action will mitigate that. In fact, a user can create a Skype account using any e-mail address with any domain in the world. UTT does not currently allow analysts to task these non-Microsoft e-mail addresses to PRISM, however, SSO intends to fix that this summer. In the meantime, NSA, FBI and Dept of Justice coordinated over the last six months to gain approval for PRINTAURA to send all current and future Microsoft PRISM selectors to Skype. This resulted in about 9800 selectors being sent to Skype and successful collection has been received which otherwise would have been missed.

March 7, 2014

PRISM now collects Microsoft Skydrive data as part of PRISM'S standard Stored Communications collection package for a tasked FISA Amendments Act Section 702 (FAA702) selector. This means that analysts will no longer have to make a special request to SSO for this - a process step that many analysts may not have known about. This new capability will result in a much more complete and timely collection response from SSO for our Enterprise customers. This success is the result of the FBI working for many months with Microsoft to get this tasking and collection solution established.

Re:No more NSA

[myowntrueself]

So the NSA is clearly useless, and making the situation worse. They are not, and cannot protect us electronically. Instead, they are collecting all of our information and storing it for the inevitable hack that will give it to the rest of the world. The first question I ask when I'm asked to secure data is: "Do we actually need this data?" You can't steel what doesn't exist. Why the hell did this agency have data on people going back to the 1980s? Why is the NSA collecting data on all of us? It's a pointless endeavor that's putting us all at risk.

The NSA don't want to protect you electronically. They need to make sure that their buddies in 5 eyes can spy on you. GCHQ, CSIS, NZSIS and ASIS all have to be able to hack you, spy on you etc. The NSA doesn't want to stand in the way of that. Hence counterintelligence operations in the 5 eyes nations are a shambles.

Re:No more NSA

the NSA is not chartered to protect you. But like most Americans, you are to ignorant to know this.

Re:so what

[ProfBooty]

You don't need to be in love to get married. There's no requirement to prove love. Long term cohabitiating couples, homo or hetero don't need government validation of their relationships.

This is about recognition for benefits and property rights, though the latter was often done by homosexual couples through LLCs for joint property.

There's no reforming OPM

[MikeRT]

OPM is pretty legendary in federal circles as basically the sort of federal agency that inspired the bureaucrat jokes on Futurama. The only way to "reform" them is to just scuttle the agency and transfer its functions to the various departments. The Office of the Director of National Intelligence should get the investigators and that authority. Civil service management should be a per-department issue. Managing retirees' benefits could easily just be contracted out to whatever private companies already manage the asset pool of the pension funds. The federal retirees I know would love to deal with a bank rather than OPM. Why? A bank would actually give a shit about processing their communications in a timely fashion.

Re:There's no reforming OPM

[Guybrush_T]

And yet, I find OPM pretty good in how they handle the situation. Full disclosure is not really a technique of the past and I'm quite surprised to see them contact every person who had data stolen and provide all details about what exactly was stolen.

I'm not sure all gov agencies in the world would act that way.

Re: so what

While we're off topic, we might as well mention that the majority of straight people holding hands and shouting "Hurray! Love wins!" were making gay jokes 20 years ago. Most folk have always thought the notion of gay sex was disgusting (at least between 2 men or 2 "ugly" women). If there were really such a large number of people who advocated it, ssm would've been legalized a looooong time ago. No. It was a farce that people fell for, because they were duped into thinking everyone else wanted it, and it snowballed. Good job, lemmings of America. You've made us the most fickle nation on Earth. Now, all this talking has made me thirsty. Hey! Why does this koolaid taste like semen?

Blue Cross

[Etherwalk]

That will happen. It is only a matter of time.

Haven't you been paying attention? They already hacked blue cross, which is a shitload more concerning in terms of intelligence targets than hacking health care info for America's poor and out-of-work.

de haxx0rz

r c0mpr0m1z1n j00!!!!111!eleventy!

Open Letter to the OPM

This is an open letter to the OPM and IT Security Professionals or Administrators involved:

Other than outright incompetence WHY, why for the love of all we hold dear, were these systems connected to the Internet? Or connected to internal networks that were then connected to the Internet?

According to congressional testimony there are a group of systems some of which can not be secured AND/OR cannot be secured with encryption or modernized. Okay, the solution is simple, disconnect them and use "Sneaker Net" to access the data.

For the uninitiated "Sneaker Net" or "Trainer Net" means you need to have physical access i.e. walk over to computer that is connected to the system in order to access it. It is disconnect from all other systems and networks.

Is it inconvenient and inefficient? Sure, but it is better than putting a system that cannot be secured on a network that is in anyway connected to the Internet.

It is that simple to protect sensitive legacy systems at a basic level.

Next question: Why isn't this data protect at, AT LEAST, the security level the applicant is applying for?

Is it expensive to do this, yes! BUT on the application it is indicated what security level is being applied for...now how valuable is that data?

Next question [rhetorical]: What is the MOST IMPORTANT PART of any government project, organization, or security plan?

Answer: THE PERSONNEL!!!

Re:Open Letter to the OPM

Am adding information to my AC post above. For anyone that wants to know, yes, bank account information is included in the SF86. Not that they won't check other sources such as your credit history but you have to list current bank accounts as part of your profile.

This should be a career ending event for all of the management and quite possibly many of the admins and IT security folks involved.

Have I worked for this office? No, but I have worked on other systems and this is just unfathomable to me.

And forget reparations and free credit check/blocking services, I WANT A NEW IDENTITY!!!!!! And that includes friends and family ;-)

I'm one of them

[T.E.D.]

Until about a year ago, I had a security clearance. So I'm one of the 22 million. I've already been contacted by our site clearance officer. They gave me this link from the OPM about the breach, which has more information than the links in the article.

For those who haven't gone through it, during a background search they send actual human beings around to your friend and family, and then to second-order contacts they know who know you, to ask questions about you. So the OPM, and now the hackers, literally know stuff about me that I don't know.

Re:I'm one of them

I remember a time when clearance data was held by a govt agency (use anyone for this example) and the paperwork was held at specific centers. Then it was decided to create a centralized database in electronic form, and it was contracted out. Instead of a government employee collecting the SF86 info it was done by a govt contractor including the interviewer was a contractor. I was thinking we will probably see a major breach when the contractor (a private company motivated to make profits) will eventually sub-contract databases to someone else (good chance a foreign company like everything else). And that database sitting on a server in China, India, or wherever. Whups! Now it is this situation we are dealing with. Why in the hell do they put all this on the internet? I heard it wasn't even encrypted.

Re:I'm one of them

[T.E.D.]

will eventually sub-contract databases to someone else (good chance a foreign company like everything else). And that database sitting on a server in China, India, or wherever

In this science fiction scenario of yours, I'd be more worried about said country instructing its workers to munge the data to let certain designated people get clearances.

Some science fiction comes to pass of course, but I'd like to think anyone with access to that particular database is required to have a COMSEC clearance (which are prohibited to "foreign persons").

You're damning them with faint praise

[MikeRT]

Most government agencies would never have let this happen in the first place because they're not stupid enough to "save money" by creating such an unbelievably high value collection of data so easily accessible to the Internet. Another thing, they would never have hired foreign contractors to work on such a critical database. OPM's contract office should be headed to Leavenworth for that decision.

Re: so what

[ProfBooty]

People are sheep.

Re:so what

you're a dick. Do you even know what is in the Bill of Rights? Christ, morons like you are what makes me wish I was born in another country.

Identification is not Authentication

[Harold+Zable]

Could someone just publish a list of everyone's name, phone numbers, addresses, and SSN's already? Then there would be some motivation for people and organizations to learn the difference between identification and authentication. Knowing a number with nine or so digits associated with an individual shouldn't give you access to their credit, whether it's their SSN or their telephone number.

Re:Identification is not Authentication

[MtnDeusExMachina]

I think you've hit on something here. The reason I think it hasn't been done yet is that it makes people work much harder at authentication, and (so far) it is too expensive to implement authentication that doesn't use the obscurity of the personal identification data.

Re: Would this have happened had they used OpenBSD

They also use this Meta-Security-Hole called "C language" ? Brought to you by a branch of government, which the danaer gift of an operating system written in said language. Free !

What could possibly be wrong with a free system on which you can store your secrets ? Absolutely nothing, certainly.

Never say again "military intelligence is an oxymoron". These folks have pwned an entire industry, because said industry trades in information. Information is power. Military is about power.

Freezing credit reports would help mitigate the da

Most people are unaware that consumers can prevent their credit from being checked by instituting a credit report freeze at the major credit reporting agencies. This reduces the risk of identity theft almost to zero since lenders won't be able to do a credit check.

I created a White House petition this morning that would require the credit reporting agencies to freeze automatically the credit report for anyone impacted by a data breech. Unfortunately one has to get 100,000 signatures in a one month period before the White House will consider the proposal. Even with social media, unless one can get the word out really fast, far and wide, it seems like an impossible task. Anyhow, if anyone is interested, spread the word if you can.

https://petitions.whitehouse.gov//petition/require-all-citizens-credit-reports-be-frozen-default