US Government's HR Department Has Been Hacked, Government Employee Data Leaked
from the if-you-can't-clean-up-your-own-home... dept
The US government keeps insisting that companies should be giving it information in order to help the government block "cybersecurity" attacks on those companies. In fact, as just reported, the NSA is already scooping up tons of information in trying to spot malicious attacks ahead of time, despite insisting in the past that it wasn't doing this. However, before everyone starts handing over information to the federal government, shouldn't we have some sort of evidence that the US government itself actually has some decent cybersecurity skills?Because it appears that, yet again, there has been a massive data breach, and this time, it's the US government's Office of Personnel Management (OPM), which is basically the HR department for the entire federal government. In other words, hackers may have gotten access to the personal information on tons of current and former government employees:
The agency said that in April of 2015 it had identified “a cybersecurity incident potentially affecting personnel data for current and former federal employees, including personally identifiable information,” although the breach is only being disclosed now. OPM alsos said that it will notify around 4 million people whose personal information “may have been compromised”—although the number is likely to grow since the investigation is ongoing.Taking the same idiotic, symbolic but pointless, response as the private sector every time there's a breach, the OPM is promising a some free credit reporting:
To protect employees from identity theft, OPM is giving them free “credit report access, credit monitoring and identify theft insurance and recovery services,” according to the press release.Actually, that last statement does not appear to be true. As the report at Vice's Motherboard (linked above) notes, this is the second time in less than a year that this happened, and last time it was determined to be Chinese hackers who broke in -- and that's who is suspected again this time. In which case, "free credit reporting" services are likely to be totally useless. It's quite likely that whoever hacked in wasn't doing it to do identity fraud and swipe credit card numbers, but to get useful information for additional, more sophisticated hacks to get access to various government employees' computers and networks.
“Protecting our Federal employee data from malicious cyber incidents is of the highest priority at OPM,” OPM Director Katherine Archuleta said in a statement.
So, yeah, if the US government can't even protect its own systems against these hacks, can someone explain why, again, we're expected to have companies hand over their own information under the false belief that the government will somehow protect them against attacks as well?
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: china, cybersecurity, hacked, office of personnel management, opm, us government
Reader Comments
Subscribe: RSS
View by: Time | Thread
Those who can't, teach.
Those who can't teach, teach PhysEd.
Those who can't teach PhysEd, work in IT for the government.
[ link to this | view in thread ]
If they used that "Dark" encryption ...
[ link to this | view in thread ]
Ostrich's
[ link to this | view in thread ]
Re:
Those who can do and try to cooperate with each other.
Those who cant try to take control and prevent the cooperation.
[ link to this | view in thread ]
Do those morons not realize that the two policies are incompatible? To get strong cybersecurity you need strong encryption and spy and hacking-proof systems...so why the hell are they still pushing for easy-to-spy and easy-to-hack systems in the media then?!
[ link to this | view in thread ]
It seems everything is hooked to the internet these days
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
[ link to this | view in thread ]
Well...
Now the hackers have your info and the government will try to use this as an excuse to take away more of your freedom.
No encryption, bitches.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re:
I choose both. One is what they are, and the other is the method they use to separate you from some of your paycheck.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: If they used that "Dark" encryption ...
My question is *when* the NSA is hacked, are they going to give the entire world free credit monitoring?
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re: If they used that "Dark" encryption ...
[ link to this | view in thread ]
Credit Where Credit Is Due
[ link to this | view in thread ]
"Identity theft protection"
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: "Identity theft protection"
I ask because I have letters dated 3 September and 22 March which detail two previous hacks (say the word and I will scan and post them).
So is the identity theft protection offered concurrently or consecutively, do you think?
[ link to this | view in thread ]
[ link to this | view in thread ]
Uncle Obama
[ link to this | view in thread ]
Re: Re: "Identity theft protection"
Oh, and make sure you use the correct government issued breech identifier [Classified info, as you well know] when referring to breeches so that there are no mistakes because dates won't work as the breeches were all 'over a period of time' which might include days, weeks, or months depending on your perspective.
[ link to this | view in thread ]
Hope they used a backdoor!
[ link to this | view in thread ]
Re: Uncle Obama
But that depends on if the puppet master that pulls this persons strings will let him do it.
[ link to this | view in thread ]
Maybe read the entire article first
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Yay now idiots will be able to find the addresses of the incompetent
Egging, door dings, keying, and whatnot.
I've got my pop-corn and remote to rewind and rewatch as hilarity ensues
[ link to this | view in thread ]
Wow, Scary
That means they're not storing any private information about me, so I'm not at risk.
(yes, sarcasm)
[ link to this | view in thread ]
Re: Hope they used a backdoor!
They had a golden key.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re: Uncle Obama
Hypocrisy, thy name is government.
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re: If they used that "Dark" encryption ...
Boom! We're totally safe & secure now!
Unless they get hacked again, then they have to repeat the offer...oh, wait.
[ link to this | view in thread ]
Will the government be offering credit "protection" for those people too?
[ link to this | view in thread ]
Re:
https://threatpost.com/opm-hack-may-have-exposed-security-clearance-data/113184
Potentially very bad.
[ link to this | view in thread ]
I haven't been notified yet
According to some reports that I have seen, the hackers could wait years to use this information. I guess the Gov't owes me perpetual credit monitoring.....
[ link to this | view in thread ]
4 months undetected
The Australians (I think the Defence Department) used the top 4 strategies to stop hackers. They did get in, but got no information. The top 3 that I remember were:
1. Whitelisting
2. Frequent OS patching
3. Frequent application patching
[ link to this | view in thread ]
The data sharing with companies will reduce attacks on the companies. The government collects loads of data from companies, puts it in a huge, poorly protected database and makes a big target for hackers. Why would the hackers bother attacking the companies with that there instead? So at a stroke, the risk of the companies getting hacked goes to zero.
[ link to this | view in thread ]