More Than 22 Million People's Data Compromised By OPM Hack

OutOnARock writes with news that the Office of Personnel Management data breach reported earlier this month was actually far worse than earlier estimates had it; in all, it seems that more than 22 million people (not all of them government employees) had personal information compromised by the breach. From Yahoo News's coverage: That number is more than five times larger than what the Office of Personnel Management announced a month ago when first acknowledging a major breach had occurred. At the time, OPM only disclosed that the personnel records of 4.2 million current and former federal employees had been compromised.

Torches and Pitchforks!

Peasants you know what to do!

I should've stayed unemployed...

[__aaclcg7560]

My two-hour background investigation interview lasted four hours because the bureaucrats in Washington couldn't understand how one person can have multiple jobs. After being out of work for two years (2009-2010), underemployed for six months (working 20 hours per month) and filing for Chapter Seven bankruptcy in 2011, don't you think a person would work a regular Monday-Friday job and a weekend job to get his finances in better shape? Meh...

Enjoy my case file, hackers! I hope your head explodes from my employment misery!

the internet is an open book

[turkeydance]

for everyone to read

One out of three US citizens

I believe that brings the total number of people compromised in the past few years up to about, oh, a hundred million.

Re:One out of three US citizens

[speedplane]

We should build a database of people who have not yet been compromised. It'll be easier to keep track of.

Not the Mil TLD side

[WillAffleckUW]

Only the Civ Gov side.

So, only one of the five spy agencies you know about.

Re:Not the Mil TLD side

[StikyPad]

Eh?

1) The IC comprises 17 agencies. That's not a secret. Anymore, at least.
2) Some of those agencies use OPM for background investigations, and some don't. I can tell you that the distinction is not strictly military/"civilian" though.
3) Some (not a small number) of the people that work at those agencies have pre-existing background investigations from prior employment, be it military, civilian, or contractor. It's not an impossible task to use data mining to map past background investigations to current employees at those agencies once you have those records, especially for overt employees.

Also, this impacted the FBI's employees, so that by itself is a huge national security issue, since they have access to a lot of the same information that the IC does.

Honestly, though, this is only the most visible OpSec failure. It's likely that our "non allies" -- Russia and China -- already have our intelligence agencies fairly well mapped out just from surveillance and humint, let alone sigint. That's the easy part. Finding out what we know and don't know is a bit tougher, but nothing's impossible. The payoffs of espionnage are large and the risks are relatively low in nation-state terms. I would be shocked if they don't know at least as much about us as we know about them, if not more, because we are far and away the biggest and most lucrative target on the world stage, and there's no such thing as perfect security.

But that's not such a bad thing, to be honest. For the most part, we have a high degree of integrity in our foreign policy (relative to most other nation-states, if not in absolute terms), and we don't try to hide our agenda. They're not going to discover that we have secret plans to invade Mexico, or that our NATO missile defense system is really setting the stage to invade Russia. And it's no secret that we have the capability to defend ourselves, so even finding chinks in our armor isn't going to negate the fact that we have the world's largest Navy, we're fully capable of crippling retaliatory strikes through a plethora of means.

Our real weakness is well known -- we allow ourselves to get baited into spending vast resources on what are ultimately inconsequential conflicts: Korea, Vietnam, Afghanistan, Iraq II, and now ISIS. None of these were legitimate threats to our national security on a significant scale, but we treat them as though they were, out of pride or something. We lose a pawn and we chuck the board aside and turn it into a deathmatch. That's our real weakness. Pride.

Re:Not the Mil TLD side

[MtnDeusExMachina]

Kudos. This is on the money. One of the best postings I have ever read on /.

Super Secure NSA protects america!

22 million government workers get hacked probably because some anus site got SQL injected.

The NSA spends no time auditing it's own systems to protect American citizens, and All of it's time spying on Americans and "terrorists"

If the NSA's mission is to truely defend America, how come sensitive government systems are still prone to SQL injection?

Let this all sink in.

Re:Super Secure NSA protects america!

[DarkOx]

I think that is the problem the NSA's mission isn't defense its offense largely. We don't really have a cyber (ugh I can't believe I just wrote that word) defensive force. We probably should but we leave that to 'domestic' agencies like the FBI and other groups we rolled up into Homeland Security.

Remember the "Department of Defense" (although there were some other reorganizations and mergers) was essentially created by renaming the "War Department" because its politically more palatable to have a "defense" department than a "war" department.

I think it is reasonable to have a group with the NSA's offensive mission so that we have the capability. I think its also clear we don't need that group to be the size and scale of the NSA; at least not when its in addition to the CIA.

Personally I think the sensible thing to do is disband NSA. Move some of the signals intel assets into CIA and possibly some in Army/Navy/Air-force as appropriate for task. What is left over should be re-tasked to actually defending and improving our computer security posture and probably turned into a new but small agency with a narrow mission statement and shoved under the homeland security umbrella. I'd say put in the FBI but that isn't really right because again the FBI's core mission is one of offense even if it is against domestic threats. In fact maybe we should part out the FBI a little bit too, moving some of the their fraud prevention and type efforts into again a smaller defensively focused group.

A lot of the problems we have with these agencies are culture and mission creep problems. Yes 9/11 showed us we need to be careful about erecting to many walls between our agencies. Which is why we created Homeland Security and parent department what should be coordinating information sharing. If we had smaller more narrowly focused groups with separate budgets power and money would be more diffuse it would keep one director or group of administrators from going off the rails and having such large pools of money to do insane things with like recording and storing meta data for every call make everywhere. Yet these groups could still have a culture of collaboration and information sharing possibly a way to directly refer cases to each other etc. They could still be effective without getting crazy.

More importantly and more to the point here. People in those groups would have a much clearer understanding of "the mission" and not have to deal with so many impedance mismatches. They and us would be able to do a much better job at assessing how effective they are.

Re:Super Secure NSA protects america!

[myowntrueself]

22 million government workers get hacked probably because some anus site got SQL injected.

The NSA spends no time auditing it's own systems to protect American citizens, and All of it's time spying on Americans and "terrorists"

If the NSA's mission is to truely defend America, how come sensitive government systems are still prone to SQL injection?

Let this all sink in.

If the NSA actually protected US citizens from being hacked how would the other 4 eyes of the 5 eyes treaty spy on Americans?? Don't be stupid, part of the NSAs job is to make SURE that you can be hacked by the other 4 eyes (CSIS, ASIS, NZSIS and GCHQ).

Names and actual idenities of spies

[ebonum]

This database should contain all the personal details on spies. If this was stolen by China, why haven't we heard about every spy being pulled out of China and Russia? They are friend-enemies after all.

Any chance this hack done by the NSA to help get more funding and show the Americans how much they are needed to keep us safe? The NSA would know all the details of how the OPM works. Easy target.
Go into a big Chinese bank. What do you see? Most of the computers used for operations are still running XP. Hacking old Win 2003 servers in China from the US might not be very difficult. There are A LOT of Win 2003 servers in China. If you use these computers to launch an attack, who isn't going to believe those uber-smart Chinese have hacked us again?
If the Chinese actually have this data, there should be a huge reaction. I haven't see it. 1,000's to 10,000's of Americans at the embassies and working abroad should have run back to the US on very short notice. We should be hearing how our spying has been set back 20 years. Things are WAY too quiet It doesn't make sense to me.

Re:Names and actual idenities of spies

[CrimsonAvenger]

Paranoia getting the better of you?

First off, it would take a particularly stupid intelligence agency to keep its personnel records on OPM computers where just anyone could see them.

Secondly, unless you're absoutely sure who has the information, you don't confirm it for the world by a quick (over-)reaction.

And thirdly, why do you think YOU would notice what the government was doing with its embassies? If it were doing something abnormal, would you even recognise it as "something abnormal"?

Re:Names and actual idenities of spies

[AHuxley]

Russia and China dont have to care. They think very long term and have all their real contacts in cleared US gov/mil position going back generations and many decades.
They trust their own contacts within the US system and have fully tested them going back decades.
Russian and China also understand the "Limited hangout" https://en.wikipedia.org/wiki/... of any bulk files.
How many US mil traps and gems are really in that data? Go looking over bulk data and what for?
Russia and China have always understood where and how to find US staff they needed or have been open to US walk ins.
Any digital data like that from the US will be loaded with fake data every day that looks so good until it is "found".
Reverse lookups would be the most simple thing to look for in the USA and plant in any vast amounts in all US databases.
Russia would not use/risk any staff or network to look at bulk data.
Everything interesting would have been quickly changed by the US mil and anything could be a US trap.

Re:Names and actual idenities of spies

[Charliemopps]

Paranoia getting the better of you?

That's the first problem when you have an agency like the NSA. There's absolutely nothing to stop them from doing something like this and arguing later that it was for national security.

First off, it would take a particularly stupid intelligence agency to keep its personnel records on OPM computers where just anyone could see them.

This is the second problem when you have an agency like the NSA. You believe, like in the movies, all the top talent is there and nothing like this could happen. But in reality, all the talent that's willing to do what their told without question is what's there. Quality may not be their strong suit, and again, this is the feds. They invented the term "Fubar"

Secondly, unless you're absolutely sure who has the information, you don't confirm it for the world by a quick (over-)reaction.

They are going to torture and murder your employees. How exactly are you supposed to react?

And thirdly, why do you think YOU would notice what the government was doing with its embassies? If it were doing something abnormal, would you even recognize it as "something abnormal"?

I agree with you on this point. I'm assuming they moved whatever they could out of harms way before we even heard of this attack. They might have even discovered the attack because they lost a few people and figured out there was a leak.

Re:Names and actual idenities of spies

[AHuxley]

Re "Secondly, unless you're absoutely sure who has the information, you don't confirm it for the world by a quick (over-)reaction.
And thirdly, why do you think YOU would notice what the government was doing with its embassies? If it were doing something abnormal, would you even recognise it as "something abnormal"?"
Most other nations do really try to really count every passport in and out and do have working, fully updated databases, other paper work and tax systems to track every worker.
Most nations do have fully funded and expert border controls, tax systems, passport reconciliation, facial recognition to help with just such issues surrounding all workers from other nations.
If a US backed clandestine "front" NGO, firm, educational, consulting, faith based charity, contractors started moving expert US staff out, positions would have to be filled and most nations could track that slight, unexpected, daily, rapid change to longer term staff.
Gossip within the expert expatriate community is tracked like any other community.

Re:Names and actual idenities of spies

[catsRus]

I agree. Smells like a false flag to drum up funding for the NSA.

We already pay the NSA to secure the communications and .gov systems, wonder what they did with all that money?

Re:Names and actual idenities of spies

[bitingduck]

NSA doesn't need to do any of that. Their budget is made up of money laundered through programs with boring names so nobody can tell what they get anyway.

And if they want the data all they have to do is ask OPM. Or offer to store backups for them. The privacy act protections are almost nonexistent and completely worthless.

Re:Names and actual idenities of spies

[DarkOx]

personnel records on OPM computers where just anyone could see them

Would it. That information is still needed. Paychecks have to get cut etc. All these clandestine people need some kind of cover. So why not give them "jobs" as administrative employees in what everyone already understands to be a giant bureaucracy. That way if anyone inside or outside goes looking for information they find exactly what they expect.

Re:Names and actual idenities of spies

[notea42]

Wrong - the CIA keeps its own records separate, for exactly this reason. FBI, DoD, and Contractors however were screwed by this.

Re:Names and actual idenities of spies

[myowntrueself]

Russia and China dont have to care. They think very long term and have all their real contacts in cleared US gov/mil position going back generations and many decades.

That is their strength compared to the democracies of the west. The democratic powers can only plan maybe 8 years ahead (if they are feeling very confident).

Re:Names and actual idenities of spies

[AHuxley]

Re "can only plan maybe 8 years ahead (if they are feeling very confident)."
The West could not even hold the one type of database it really, really, really had to hold as a good secret away from random, fast, open public networks.
So some cleared contractor could go to some out of state jobs fair, find some needed translator or skilled expert and get them cleared to start work sooner to bid on some federal task 'sooner'...
Just so the private sector could feel more happy about getting more federal funding quicker in the digital world.
In the past the US understood how to keep all that vital info split. No one walk out event would give any person anything too vital.
Even East Germany understood that simple database reality when putting its new spy networks together after the West got its entire list of agents.
Keep files seperated and make sure any person wanting to connect files has to face a few real humans if they want to connect files and had a very good reason as to why.
East Germany lost its final digital spy database again to the CIA years later when the its new digital archive was fully recovered.
Yet with all the real world historic understanding the US still thought it was a great idea to just network that kind of data...
All the US can do is task the GCHQ, NSA, ASD, GCSB with every bit of related data and hope the data gets reverse searched...on some network at some time
Double secret limited hangout.

Re:Names and actual idenities of spies

[ZeroWaiteState]

I doubt even the NSA could answer that question.

Re:Names and actual idenities of spies

[MtnDeusExMachina]

Limited hangout is wishful thinking. Anyone who is any good at this game gets everything they want from the limited hangout, regardless of the intent to deceive. Even misleading, incomplete, or deceptive data is still data.

Anybody have secret information about the USA?

Money? Forget money.

This is about the Chinese using blackmail against government employees with security clearances. They're on a war-footing.

If only there were some person responsible for making sure the USA were protected against these sorts of threats.

Why did the US even allow such a database?

[AHuxley]

The US gov seemed to have really understood all the issues the UK and other nations had with selecting and sorting cleared staff from the UK security issues of the 1930's to 1980's.
Full background interviews, real cleared US gov staff looking deep into a persons submitted life story and the looking at the facts on the ground anywhere in the US.
Life story, education, friends, mail, reading material, calls logs all allowed the US gov to select the more useful and smart people for sensitive positions.
Over the past decade the move was to finding staff with unique skills quickly and trying to ensure US security paperwork was not going to be any issue for contractors, ex staff, former staff, people moving from the private sector into gov or gov into the private sector. All while keeping or re using past security access.
The US gov and mil could ensure skilled staff from the public and private sector where ready, could be found and sorted regionally and quickly for any task in or out of the USA.
The problem for the US gov is it needed so many contractors quickly and hoped remote digital files could 'clear' a boss and their new company or past contractor/mil/gov staff for new gov/mil/contractor work.
Vast new online digital databases allowed for lucrative jobs to be handed out and any security issues to fixed quickly.
The down side of this rapid system what what is what was fully understood by the US, UK, Australian and many other nations since the 1950's from their WW2 and 1930's security issues. Dont hire or create security in haste and keep the files away from all other people in gov, mil, private sector and other nations. How or why the US gov ever let go if its most secure files for national remote access is a real mystery.
Other nations who kept their files safe from new contractors needs and within the gov seemed to have understood the issues of rapid security expansion expansion and all the remote database issues. Why did the US gov and mil think it was a good idea or safe to allow complex files of that nature to just move regional and national networks from the mid 1990's on?

Re:so what

Love won, and bigots lost. Cry some more, bigot.

Wait until they hack Obamacare's DB

[BoRegardless]

That will happen. It is only a matter of time.

Re:Wait until they hack Obamacare's DB

To what end? Those aren't exactly people ripe for identity theft. You'd have a bunch of low-credit, low income people who couldn't get a high interest car loan, much less be of use to anyone in China.

No more NSA

[Charliemopps]

So the NSA is clearly useless, and making the situation worse. They are not, and cannot protect us electronically. Instead, they are collecting all of our information and storing it for the inevitable hack that will give it to the rest of the world. The first question I ask when I'm asked to secure data is: "Do we actually need this data?" You can't steel what doesn't exist. Why the hell did this agency have data on people going back to the 1980s? Why is the NSA collecting data on all of us? It's a pointless endeavor that's putting us all at risk.

Re:No more NSA

[myowntrueself]

So the NSA is clearly useless, and making the situation worse. They are not, and cannot protect us electronically. Instead, they are collecting all of our information and storing it for the inevitable hack that will give it to the rest of the world. The first question I ask when I'm asked to secure data is: "Do we actually need this data?" You can't steel what doesn't exist. Why the hell did this agency have data on people going back to the 1980s? Why is the NSA collecting data on all of us? It's a pointless endeavor that's putting us all at risk.

The NSA don't want to protect you electronically. They need to make sure that their buddies in 5 eyes can spy on you. GCHQ, CSIS, NZSIS and ASIS all have to be able to hack you, spy on you etc. The NSA doesn't want to stand in the way of that. Hence counterintelligence operations in the 5 eyes nations are a shambles.

Re:so what

[ProfBooty]

You don't need to be in love to get married. There's no requirement to prove love. Long term cohabitiating couples, homo or hetero don't need government validation of their relationships.

This is about recognition for benefits and property rights, though the latter was often done by homosexual couples through LLCs for joint property.

There's no reforming OPM

[MikeRT]

OPM is pretty legendary in federal circles as basically the sort of federal agency that inspired the bureaucrat jokes on Futurama. The only way to "reform" them is to just scuttle the agency and transfer its functions to the various departments. The Office of the Director of National Intelligence should get the investigators and that authority. Civil service management should be a per-department issue. Managing retirees' benefits could easily just be contracted out to whatever private companies already manage the asset pool of the pension funds. The federal retirees I know would love to deal with a bank rather than OPM. Why? A bank would actually give a shit about processing their communications in a timely fashion.

Blue Cross

[Etherwalk]

That will happen. It is only a matter of time.

Haven't you been paying attention? They already hacked blue cross, which is a shitload more concerning in terms of intelligence targets than hacking health care info for America's poor and out-of-work.

I'm one of them

[T.E.D.]

Until about a year ago, I had a security clearance. So I'm one of the 22 million. I've already been contacted by our site clearance officer. They gave me this link from the OPM about the breach, which has more information than the links in the article.

For those who haven't gone through it, during a background search they send actual human beings around to your friend and family, and then to second-order contacts they know who know you, to ask questions about you. So the OPM, and now the hackers, literally know stuff about me that I don't know.

Re:I'm one of them

[T.E.D.]

will eventually sub-contract databases to someone else (good chance a foreign company like everything else). And that database sitting on a server in China, India, or wherever

In this science fiction scenario of yours, I'd be more worried about said country instructing its workers to munge the data to let certain designated people get clearances.

Some science fiction comes to pass of course, but I'd like to think anyone with access to that particular database is required to have a COMSEC clearance (which are prohibited to "foreign persons").

You're damning them with faint praise

[MikeRT]

Most government agencies would never have let this happen in the first place because they're not stupid enough to "save money" by creating such an unbelievably high value collection of data so easily accessible to the Internet. Another thing, they would never have hired foreign contractors to work on such a critical database. OPM's contract office should be headed to Leavenworth for that decision.

Re: so what

[ProfBooty]

People are sheep.

Identification is not Authentication

[Harold+Zable]

Could someone just publish a list of everyone's name, phone numbers, addresses, and SSN's already? Then there would be some motivation for people and organizations to learn the difference between identification and authentication. Knowing a number with nine or so digits associated with an individual shouldn't give you access to their credit, whether it's their SSN or their telephone number.

Re:Identification is not Authentication

[MtnDeusExMachina]

I think you've hit on something here. The reason I think it hasn't been done yet is that it makes people work much harder at authentication, and (so far) it is too expensive to implement authentication that doesn't use the obscurity of the personal identification data.

Re:Would this have happened had they used OpenBSD?

[chill]

Answer: Yes.

It was a phishing exploit that captured credentials of a valid user. It wasn't a technical compromise. It was social engineering facilitated by technology.

You can't protect that with better code.