The public now knows of two rounds of massive breaches at the federal agency that handles all personnel records. First round looks like it was essentially the basic personnel file of all current and many former federal employees.
Second round is the long forms used to process security clearances. Looks like it was military and spy agency records. Great. Those files list all relatives, making them vulnerable to coercion. Provides lots of ideas on how to turn or compromise employees.
Hackers meandered around the systems for a year.
If you want to build a deep profile of military, diplomatic, and spy agency staff for use over the next several decades, this would be a fantastic starting point. Will take a while to process all the files and synthesize with social media and published news reports, but those countries who wish us harm will have a superb database to track and compromise federal employees.
Just consider the devastating impact – the identity of spies hiding under diplomatic cover is now blown. Anyone trying to move into one of those slots or trying to go undercover in the future will probably be compromised.
6/5 – Wall Street Journal – U.S. Suspects Hackers in China Breached About 4 Million People’s Records, Officials Say – Understanding at the time was around 4M records of current and former employees were grabbed by someone in China. Discovered in April.
6/12 – WSJ – Hackers Likely Stole Security-Clearance Information During Breach of Government Agency /Hackers got into secret background investigation records on current, former U.S. officials, administration officials say. – This hack grabbed security clearance files. This is a separate database than the first set of disclosed hacks.
Large portions of OPM databases are unencrypted. Article doesn’t say whether security clearances are encrypted or not. Why OPM does not automatically encrypt every piece of information they handles is not explained.
6/12 – Yahoo – Officials: Second hack exposed military and intel data – number of people whose data has been exposed is estimated at between 9 and 14 million.
A representative of American Federation of Government Employees claims Social Security numbers are not encrypted. He also blasts the poor security.
6/9 – WSJ – Bargaining Away Your Security – How a federal union made it harder to protect employee files – AFGE filed and won a grievance against ICE that any changes to IT systems that affect personal use of federal computer resources by employees requires negotiation with the union. Let me rephrase that – ICE is not allowed to change their IT security without negotiating changes with AFGE in advance.