US Government's HR Department Has Been Hacked, Government Employee Data Leaked

from the if-you-can't-clean-up-your-own-home... dept

Fri, Jun 5th 2015 9:26am — Mike Masnick

The US government keeps insisting that companies should be giving it information in order to help the government block "cybersecurity" attacks on those companies. In fact, as just reported, the NSA is already scooping up tons of information in trying to spot malicious attacks ahead of time, despite insisting in the past that it wasn't doing this. However, before everyone starts handing over information to the federal government, shouldn't we have some sort of evidence that the US government itself actually has some decent cybersecurity skills?

Because it appears that, yet again, there has been a massive data breach, and this time, it's the US government's Office of Personnel Management (OPM), which is basically the HR department for the entire federal government. In other words, hackers may have gotten access to the personal information on tons of current and former government employees:

The agency said that in April of 2015 it had identified “a cybersecurity incident potentially affecting personnel data for current and former federal employees, including personally identifiable information,” although the breach is only being disclosed now. OPM alsos said that it will notify around 4 million people whose personal information “may have been compromised”—although the number is likely to grow since the investigation is ongoing.

Taking the same idiotic, symbolic but pointless, response as the private sector every time there's a breach, the OPM is promising a some free credit reporting:

To protect employees from identity theft, OPM is giving them free “credit report access, credit monitoring and identify theft insurance and recovery services,” according to the press release.

“Protecting our Federal employee data from malicious cyber incidents is of the highest priority at OPM,” OPM Director Katherine Archuleta said in a statement.

Actually, that last statement does not appear to be true. As the report at Vice's Motherboard (linked above) notes, this is the second time in less than a year that this happened, and last time it was determined to be Chinese hackers who broke in -- and that's who is suspected again this time. In which case, "free credit reporting" services are likely to be totally useless. It's quite likely that whoever hacked in wasn't doing it to do identity fraud and swipe credit card numbers, but to get useful information for additional, more sophisticated hacks to get access to various government employees' computers and networks.

So, yeah, if the US government can't even protect its own systems against these hacks, can someone explain why, again, we're expected to have companies hand over their own information under the false belief that the government will somehow protect them against attacks as well?

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: china, cybersecurity, hacked, office of personnel management, opm, us government

39 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 5 Jun 2015 @ 9:32am

Those who can, do.
Those who can't, teach.
Those who can't teach, teach PhysEd.
Those who can't teach PhysEd, work in IT for the government.
[ link to this | view in chronology ]
- Anonymous Coward, 5 Jun 2015 @ 9:50am
  
  Re:
  Its even simpler:
  Those who can do and try to cooperate with each other.
  Those who cant try to take control and prevent the cooperation.
  [ link to this | view in chronology ]
- pixelpusher220 (profile), 5 Jun 2015 @ 10:15am
  
  Re:
  Denigrating teachers isn't exactly the way to a booming economy...
  [ link to this | view in chronology ]
- Former Fed, 5 Jun 2015 @ 10:18am
  
  Re:
  If OPM is like most other federal agencies, nearly all the IT work is contracted out. The contracting companies' goal is to deliver as little as possible while charging as much as they can get away with. The COTRs - the feds responsible for monitoring the contractors' performance - often don't have the skills or the "junk yard dog" attitude needed to do a good job.
  [ link to this | view in chronology ]
David, 5 Jun 2015 @ 9:36am

If they used that "Dark" encryption ...
You know, they ones they are afraid of? Maybe they wouldn't have gotten hacked...
[ link to this | view in chronology ]
- pixelpusher220 (profile), 5 Jun 2015 @ 10:17am
  
  Re: If they used that "Dark" encryption ...
  local DC news radio said these current and former employees will get free credit monitoring.
  
  My question is *when* the NSA is hacked, are they going to give the entire world free credit monitoring?
  [ link to this | view in chronology ]
  - Anonymous Coward, 5 Jun 2015 @ 10:23am
    
    Re: Re: If they used that "Dark" encryption ...
    My question is *when* the NSA is hacked, are they going to give the entire world free credit monitoring?
    First, you cannot hack No Such Agency because it does not exist. But if it did get hacked anyway, they could of course provide free credit monitoring to the world, because they are already monitoring everyone's credit for their own nefarious ends. CC'ing you on their monitoring would be comparatively cheap, and probably a lot cheaper than buying everyone a credit monitoring package from the commercial bureaus.
    [ link to this | view in chronology ]
  - Anonymous Coward, 5 Jun 2015 @ 1:53pm
    
    Re: Re: If they used that "Dark" encryption ...
    Maybe that's the precursor...first they let themselves get hacked, then they offer the entire planet free credit monitoring. The data from the credit monitoring agencies goes straight to the NSA.
    
    Boom! We're totally safe & secure now!
    
    Unless they get hacked again, then they have to repeat the offer...oh, wait.
    [ link to this | view in chronology ]
Anonymous Anonymous Coward, 5 Jun 2015 @ 9:40am

Ostrich's
This is a good example of our government spouting the "We don't need no stinking encryption!" line is totally out of their cranial-rectal thinking.
[ link to this | view in chronology ]
Anonymous Coward, 5 Jun 2015 @ 9:56am

I still can't wrap my head around the fact that the government seems to be both "pro-cybersecurity" and "anti-encryption" at the same time.

Do those morons not realize that the two policies are incompatible? To get strong cybersecurity you need strong encryption and spy and hacking-proof systems...so why the hell are they still pushing for easy-to-spy and easy-to-hack systems in the media then?!
[ link to this | view in chronology ]
- Anonymous Coward, 5 Jun 2015 @ 9:58am
  
  Re:
  Two possible answers. They are incompetent or they allow it to advance their terrorist hacker boogeyman propaganda. Take your pick.
  [ link to this | view in chronology ]
  - ltlw0lf (profile), 5 Jun 2015 @ 10:10am
    
    Re: Re:
    Two possible answers. They are incompetent or they allow it to advance their terrorist hacker boogeyman propaganda. Take your pick.
    
    I choose both. One is what they are, and the other is the method they use to separate you from some of your paycheck.
    [ link to this | view in chronology ]
- AnonyBabs, 5 Jun 2015 @ 12:30pm
  
  Re:
  You don't understand; it's because the govt is the "good guys."
  [ link to this | view in chronology ]
Anonymous Coward, 5 Jun 2015 @ 9:57am

It seems everything is hooked to the internet these days
You gotta love the mindset that if there is a computer lying around, it has to be hooked to the internet. There are all kinds of security mechanisms to keep people from getting to systems they shouldn't get to. Some systems should not even be hooked to the internet. Just wait until the internet of things really takes hold and hackers start controlling houses, cars and anything else that isn't nailed down. We need to get a handle on security now as it is nearly impossible to secure things after the fact.
[ link to this | view in chronology ]
PlagueSD (profile), 5 Jun 2015 @ 10:05am

I'm thinking someone left the "back door" unlocked. So tell me again how having "back doors" is a good thing??
[ link to this | view in chronology ]
Anonymous Coward, 5 Jun 2015 @ 10:08am

Well...
When you give up your freedom for security you get neither.

Now the hackers have your info and the government will try to use this as an excuse to take away more of your freedom.

No encryption, bitches.
[ link to this | view in chronology ]
Anonymous Coward, 5 Jun 2015 @ 10:09am

Given a government list of government employees, subtract all those who job/department can be found in public directories, and those left are the ones that a foreign government will have the most interest in, as it likely includes many covert operators etc..
[ link to this | view in chronology ]
- Anonymous Coward, 5 Jun 2015 @ 10:26am
  
  Re:
  This is the government we are talking here. Odds are the payroll data includes things like, CIA operative in Iraq as the job title. So if you remove everything identifiable, you probably are only left with people that are on the payroll due to system bugs, or because they had already hacked the payroll system to add themselves to it.
  [ link to this | view in chronology ]
- Bamboo Harvester (profile), 5 Jun 2015 @ 11:59am
  
  Re:
  Won't work. The Official Cover people would show up as their covers (Attache, Asst to the Asst of...), NOC people would show up as day workers - do you really believe the CIA headquarters has 800 Janitors?
  [ link to this | view in chronology ]
Roger Strong (profile), 5 Jun 2015 @ 10:24am

Credit Where Credit Is Due
You can't accuse the government of hypocrisy. They didn't encrypt, and they haven't "gone dark."
[ link to this | view in chronology ]
Oblate (profile), 5 Jun 2015 @ 10:26am

"Identity theft protection"
They're offering affected employees identity theft protection- for 18 months. Why 18 months, do they think the hackers will give the information back by then? I wonder why they weren't as concerned about protecting employees information when they were designing their IT systems. The only logic I can see behind the 18 month span is that it's likely to last until the next major breach (and another 18 month protection plan).
[ link to this | view in chronology ]
- Nate (profile), 5 Jun 2015 @ 11:00am
  
  Re: "Identity theft protection"
  Does that mean 18 months identity theft protection on top of the other two offers of 18 month identity theft protection?
  
  I ask because I have letters dated 3 September and 22 March which detail two previous hacks (say the word and I will scan and post them).
  
  So is the identity theft protection offered concurrently or consecutively, do you think?
  [ link to this | view in chronology ]
  - Anonymous Anonymous Coward, 5 Jun 2015 @ 11:27am
    
    Re: Re: "Identity theft protection"
    Bah, don't you realize that you will be required to identify which breech your identity theft came from before any identity theft protection plan will be enforced? You have a 1 in 3 chance of being right (start flipping coins), now, the next breech will make it 1 in 4.
    
    Oh, and make sure you use the correct government issued breech identifier [Classified info, as you well know] when referring to breeches so that there are no mistakes because dates won't work as the breeches were all 'over a period of time' which might include days, weeks, or months depending on your perspective.
    [ link to this | view in chronology ]
Anonymous Coward, 5 Jun 2015 @ 11:12am

Looks like the identity theft insurance lobbyists' plan is coming off without a hitch...kickbacks in the form of 4 million new accounts.
[ link to this | view in chronology ]
Anonymous Coward, 5 Jun 2015 @ 11:26am

Uncle Obama
I wonder if Uncle Obama is going to pick up a year of credit monitoring for everyone who had their data stolen.
[ link to this | view in chronology ]
- Anonymous Coward, 5 Jun 2015 @ 11:28am
  
  Re: Uncle Obama
  To buy more Americans that don't care for their freedom off you sure better believe he will do it if I could.
  
  But that depends on if the puppet master that pulls this persons strings will let him do it.
  [ link to this | view in chronology ]
  - Groaker (profile), 5 Jun 2015 @ 12:36pm
    
    Re: Re: Uncle Obama
    Can't really blame Obama, as this kind of nonsense has been going on for as long as governments exist. As a recent, but pre-Obama occurrence, I observed Federal IT staff knowingly violate HIPPA security requirements because it saved time and money.
    
    Hypocrisy, thy name is government.
    [ link to this | view in chronology ]
- Anonymous Coward, 5 Jun 2015 @ 11:34am
  
  Maybe read the entire article first
  Maybe it's just a way to transfer money to the credit reporting agencies. Monitoring is not cheap for four million customers. Since the big three have taken it upon themselves to collect all of this data on consumers, perhaps they should have an obligation to make credit freezes and monitoring free.
  [ link to this | view in chronology ]
Anonymous Coward, 5 Jun 2015 @ 11:27am

Hope they used a backdoor!
And I that gets waved in their fucking faces.
[ link to this | view in chronology ]
- Anonymous Coward, 5 Jun 2015 @ 12:30pm
  
  Re: Hope they used a backdoor!
  They didn't use a backdoor you ninny!
  
  They had a golden key.
  [ link to this | view in chronology ]
DigDug, 5 Jun 2015 @ 12:07pm

Yay now idiots will be able to find the addresses of the incompetent
Which will lead to highly comical events, such as TP'ing their houses and cars, with excrement loaded TP.

Egging, door dings, keying, and whatnot.

I've got my pop-corn and remote to rewind and rewatch as hilarity ensues
[ link to this | view in chronology ]
Derek Kerton (profile), 5 Jun 2015 @ 12:15pm

Wow, Scary
Wow. Scary. Good thing I don't work for the US govt.

That means they're not storing any private information about me, so I'm not at risk.

(yes, sarcasm)
[ link to this | view in chronology ]
Anonymous Coward, 5 Jun 2015 @ 12:38pm

OPM does security clearance investigations (among other things) making them responsible for some VERY personal information.
[ link to this | view in chronology ]
Anonymous Coward, 5 Jun 2015 @ 1:12pm

If you don't encrypt, You must acquit.
[ link to this | view in chronology ]
Anonymous Coward, 5 Jun 2015 @ 2:04pm

Multiple the numbers by 4-5. Security clearance application data requires some personal information of family and friends of those applying for clearances. If that database was hacked then this isn't just about federal employees.

Will the government be offering credit "protection" for those people too?
[ link to this | view in chronology ]
- Anonymous Coward, 5 Jun 2015 @ 2:11pm
  
  Re:
  Check out:
  
  https://threatpost.com/opm-hack-may-have-exposed-security-clearance-data/113184
  
  Potentially very bad.
  [ link to this | view in chronology ]
Anonymous Coward, 5 Jun 2015 @ 4:02pm

I haven't been notified yet
My information is one of those that would have been stolen from the OMB. I have not received any notification that I will be receiving free monitoring.

According to some reports that I have seen, the hackers could wait years to use this information. I guess the Gov't owes me perpetual credit monitoring.....
[ link to this | view in chronology ]
Anonymous Coward, 5 Jun 2015 @ 4:05pm

4 months undetected
I just heard that the hack went four months without being detected.

The Australians (I think the Defence Department) used the top 4 strategies to stop hackers. They did get in, but got no information. The top 3 that I remember were:

1. Whitelisting
2. Frequent OS patching
3. Frequent application patching
[ link to this | view in chronology ]
Anonymous Coward, 8 Jun 2015 @ 2:37pm

It's genius.

The data sharing with companies will reduce attacks on the companies. The government collects loads of data from companies, puts it in a huge, poorly protected database and makes a big target for hackers. Why would the hackers bother attacking the companies with that there instead? So at a stroke, the risk of the companies getting hacked goes to zero.
[ link to this | view in chronology ]