Hack Of Federal Gov't Employee Info Is Much, Much Worse Than Originally Stated: Unencrypted Social Security Numbers Leaked
from the because-that's-how-this-works dept
Over a decade ago, I pointed out that every single time there were reports of big "data leaks" via hacking, a few weeks after the initial report, we would find out that the leak was even worse than originally reported. That maxim has held true over and over again. And, here we go again. Last week, we noted that the US government's Office of Personnel Management had been hacked, likely by Chinese hackers. And, now, it has come out that the hack was (you guessed it) much worse than originally reported.The President of the union that represents federal government workers, the American Federation of Government Employees (AFGE) sent a letter to the director of the OPM, claiming that the hackers got away with the Central Personnel Data File, which includes full information on just about everything about that employee -- including (get this) unencrypted social security numbers.
Based on the sketchy information OPM has provided, we believe that the Central Personnel Data File was the targeted database, and that the hackers are now in possession of all personnel data for every federal employee, ever federal retiree, and up to one million former federal employees. We believe that hackers have every affected person's Social Security number(s), military records and veterans' status information, address, birth date, job and pay history, health insurance, life insurance, and pension information; age, gender, race, union status, and more.Oh, and then there's this:
Worst, we believe that Social Security numbers were not encrypted, a cybersecurity failure that is absolutely indefensible and outrageous.The letter further points out -- as we did last week -- that the 18 months of credit monitoring the government has offered everyone is a complete joke. It's unlikely that the hackers are looking to do identity fraud for financial gain -- and quite likely this is for espionage purposes.
But, let's go back to the Social Security numbers being unencrypted for a second. Remember, this hack is already being used by intelligence system defenders to argue for why we need stronger "cybersecurity" laws that will give the NSA and FBI much greater access to Americans' data.
And, yes, this would be the very same FBI that has actively argued against encryption. And the NSA has always hated encryption and insists it needs backdoors into any encryption.
Both of these organizations strongly support "cybersecurity" legislation, claiming that it's necessary so that the US government can "help" companies dealing with "critical infrastructure." And yet, here we are, with the government's own personnel files being held in a system without encryption that was hacked and copied by (likely) foreign hackers. And we're supposed to trust two government agencies who have been going around cursing encryption, that we should give them more access to "protect us" when another government agency's attack likely could have been prevented if they'd just used encryption?
As plenty of cybersecurity experts will tell you, the problem in the security realm is not "information sharing." It's people doing stupid things in how they setup their systems. Not encrypting the employee files for every government employee seems to fit into that category. Perhaps, rather than focusing on bogus "cybersecurity" legislation to give more power to the idiots shouting against encryption, we should have the government focus on getting its own house in order, including encrypting employee data.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cybersecurity, federal government, leaks, opm, social security numbers, unencrypted
Reader Comments
The First Word
“Follow the Money
Just a comment on this, since it's making lots of news. The letter is from the Employee's Union. Not a tech export or anyone involved in the investigation. They are making noise because they want more money\compensation for the employees. They don't have any more inside information than anyone else.Read the letter - he is claiming that they "suspect" this based on "sketchy information". He then uses his suspicioin to begin to make the case that the employees (the union?) need more info\money\power.
This is Washington, folks. Follow the money. This wasn't someone who knows more than the people working the hack. This was a political move. Doesn't mean it's not much worse than OPM knows or has admitted; doesn't mean it is. Just be careful and think it through.
Subscribe: RSS
View by: Time | Thread
That makes sense
[ link to this | view in chronology ]
Re:
Seriously, the US news is starting to sound like a plot for a bad action movie.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
IS RUSSIA HACKING FOR IS PROPAGANDING!
This BODES ILL!
HEY, WAIT. What TROO Amercain spells "Carl" JUST LIKE KARL MARX!? -- KRAP! RUSSIAN GOT KARL!
[ link to this | view in chronology ]
IS RUSSIA HACKING FOR IS PROPAGANDING!
This BODES ILL!
HEY, WAIT. What TROO Amercain spells "Carl" JUST LIKE KARL MARX!? -- KRAP! RUSSIAN GOT KARL!
[ link to this | view in chronology ]
Re: IS RUSSIA HACKING FOR IS PROPAGANDING!
[ link to this | view in chronology ]
Re: Re: IS RUSSIA HACKING FOR IS PROPAGANDING!
[ link to this | view in chronology ]
I feel bad for anyone who looks like they might have Asian ancestry or a name that sounds vaguely Chinese - the next few years are really going to suck for them. But hey, at least the next time Target gets hacked and their data shows up for sale on some shady Tor site, they'll find out about it, while probably sitting in a jail cell.
[ link to this | view in chronology ]
Tin Foil Hat Engaged
[ link to this | view in chronology ]
What’s So Secret About Social Security Numbers, Anyway?
[ link to this | view in chronology ]
Re: What’s So Secret About Social Security Numbers, Anyway?
(For those that don't know: until recently the first 3 numbers of the SSN designated the office that issued the number. Because most people got their number from the office in the city or county they were born in everybody thought the number was coded for their birth area.)
[ link to this | view in chronology ]
Re: Re: What’s So Secret About Social Security Numbers, Anyway?
[ link to this | view in chronology ]
Re: Re: Re: What’s So Secret About Social Security Numbers, Anyway?
The first three digits indicated the geographical area, the second two are a group number, and the last four are a serial number.
By the way, there's a handy SSN decoder here: http://stevemorse.org/ssn/ssn.html
[ link to this | view in chronology ]
Re: What’s So Secret About Social Security Numbers, Anyway?
(1) Amend liability laws to provide that any organization which uses SSN as sufficient proof of identity is considered negligent for the purpose of verifying identity. If an organization issues credit (whether credit card, bank transfer, bank loan, insurance payment, etc.) solely because the recipient knew a name+SSN pair, then they cannot avail themselves of any legal processes to try to collect from the actual owner of that SSN. This would effectively outlaw relying on the SSN for financial transactions, since no organization that continued to rely on it could collect payments due to it. Any organization that did not update their identity verification mechanism could be legally defrauded by anyone who knew a name+SSN mapping, with no recourse by the organization.
(2) Direct the Social Security Administration to publish a full list of all the name to SSN mappings, for every person with a number, living or dead. Going forward, new numbers would be published when issued (or on some convenient schedule, such as a monthly dump of all numbers issued since the last dump). The big dump would come a specified number of months (say, 6-12) after the liability change kicks in. After the data dump begins, defrauding defective organizations would be easy. Widespread lawful fraud would compel them to switch to a better mechanism.
[ link to this | view in chronology ]
In kind services
Besides, whomever hacked this database now has a fairly complete list of US Government sponsored terrorists who spend their time denying the fact that they are the terrorists.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Thank goodness…
[ link to this | view in chronology ]
Re: Thank goodness…
[ link to this | view in chronology ]
[ link to this | view in chronology ]
On a side note about SSNs...
[ link to this | view in chronology ]
Re: On a side note about SSNs...
By the way, with a few exceptions centered around businesses that are required to report to the government, no business can legally demand your SSN. Most businesses that ask for it will assign a different ID number to you if you refuse to provide it. Some even tell you that on their forms.
[ link to this | view in chronology ]
Follow the Money
Read the letter - he is claiming that they "suspect" this based on "sketchy information". He then uses his suspicioin to begin to make the case that the employees (the union?) need more info\money\power.
This is Washington, folks. Follow the money. This wasn't someone who knows more than the people working the hack. This was a political move. Doesn't mean it's not much worse than OPM knows or has admitted; doesn't mean it is. Just be careful and think it through.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
It is an essential feature.
1. Someone in the AFGE wants to access data on a federal employee.
2. Big Ass Golden Key for Everyone(BAGKE), is used by a hacker to copy the data in the database.
3. As the data is traveling along the backbone, the data is then copied once again by the NSA and relayed to whoever was asking for that data.
As you can see, encryption would clearly be in the way and make it much harder to find the right data on the backbone. Trust me... I am an expert.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Oh, it's MUCH worse than merely SS numbers
There's stuff in there about employment. About sex practices and partners. About any brushes with law enforcement. About EVERYTHING.
If you were looking for people to blackmail and for information to do it with, this is the paperwork you'd want.
And that "foreign national" part has implications too, as there are a number of governments on this planet that might choose to go after their own citizens based on association with people employed by the US government.
The failure here is stunning. Those forms shouldn't be merely encrypted, they should be on airgapped computers so that acquiring them requires physical access plus hacking those systems plus breaking the encryption. Heck, they should probably be encrypted with an N of M cipher (that is, one that uses M keys and requires that N, N
[ link to this | view in chronology ]
Re: Oh, it's MUCH worse than merely SS numbers
[ link to this | view in chronology ]
A friend once took a temporary job in the Alaska office of a large national charity, to cover an accountant who was on vacation. She discovered that the accountant had been embezzling. It was a MAJOR disaster for the charity, as the news would affect further donations and funding.
"Luckily" the Exxon Valdez had recently hit a rock, and they got to talk to the PR firm brought in to clean up the mess.
The advice: Release ALL the information, every last detail, all at once. It would get the same amount of coverage on day one regardless, and on day two it would be old news. With no further information to be leaked, nothing new to report, there would be no new headlines.
This is why WikiLeaks and the folks holding Snowden's documents prefer a slow trickle of releases. One big release would make headlines on day one, and the vast majority of the information would be unreported and overlooked. A slow, steady release of documents means that each is a fresh story, to get new coverage in the press.
It's a lesson that those with a big "data leaks" should learn.
[ link to this | view in chronology ]
What's the big deal?
[ link to this | view in chronology ]
Encryption
[ link to this | view in chronology ]
Re: Encryption
[ link to this | view in chronology ]
Crisis averted. Thanks Michael Steinbach and William Crowley. Enjoy your brave new world.
[ link to this | view in chronology ]
Re:
The way this is gonna be spun out is not that the data wasn't encrypted, but rather that this happened because hackers are bad and foreign hackers are the worst. They will then insist that in order to catch such people, they need more access and less encryption, as if anyone will automatically obey these rules.
There will never be any apology or admission of any bad judgement or sloppiness from their part, only ever accusations of others and the constant pushing for more power.
[ link to this | view in chronology ]
Everyone seems to be forgetting that Obama promised to have the most transparent administration in the history of the United States.......
[ link to this | view in chronology ]
[ link to this | view in chronology ]
U THINK YOU KNOW HOW BAD IT IS??
[ link to this | view in chronology ]