back to article US govt now says 21.5 million people exposed by OPM hack – here's what you need to know

The US Office of Personnel Management has come clean on the full extent of the massive data breach that it first disclosed in June, and it's far worse than what was initially thought. On Thursday, OPM announced that records including data from background checks of some 21.5 million people – including present, former, and …

  1. Mark 85 Silver badge
    Facepalm

    Well.. duh...

    The National Security Council's Daniel added that attacks like the ones that hit the OPM are "not without precedent," and added that increased cybersecurity was a top national priority as the internet is increasingly being used as a tool by criminals and nation-states.

    So they just now realized this? We in the bush have been dodging this bullet and fighting it for years and now they just..... His agency has been doing this (hacking and spying) for years.. but cybersecurity for the rest of the government was never a priority? Jeeessh, what a bunch of tossers.

    I think the US Government needs a new department: The Department of the Obvious and anyone who makes such statements or is surprised by this needs to be transferred to it posthaste.

    1. Borg.King
      Facepalm

      "transferred to it posthaste"

      Read that as 'transferred to it's prostate'.

    2. Anonymous Coward
      Anonymous Coward

      Re: Well.. duh...

      I assume this is because of the tight security the US Government uses - they don't...?

      For some reason all governments are hopeless at IT security. I can only assume it is because the politicians are totally clueless about anything in the real world and/or they have the idea 'we are too mighty for anyone to do that to us' which just proves they should not be in power.

      Someone said, I can't remember who, 'That all politicians should be limited to two terms, one in office followed by an equal length one in prison.' Something like that might just concentrate their thinking.

  2. elDog Silver badge

    Nice words - makes you feel all warm and

    Moist. Like being inundated with the same old shit.

    "We want you to know that we take your privacy..."

    "We don't expect that anyone will actually use your vitals..."

    "Everyone else is hacked, so why shouldn't we be too?"

    "We hire the top IT staff from around the world. What's to worry?"

    And the classic:

    "We have arranged for the 20 million (plus or minus 100 million) to receive reduced-rate credit checks."

    Oh, and if you have filled out a SF-86 (I have), don't bother applying for any job in the future. You are probably suspect.

  3. Blofeld's Cat
    FAIL

    Hmm...

    I can't help wondering if there have been more of these "hacking" incidents where the intruder has quietly taken the data and not left any traces. Surely serious players (such as a nation state), would want to retain their access to the data for further mining when necessary.

    Maybe somebody simply got careless, or some amateur blundered in and gave the game away. On the other hand, somebody may be making a very embarrassing, and public, point.

    1. fajensen Silver badge

      Re: Hmm...

      A devious nation state would use the access to search for competent people with security clearance and have it revoked - slowly ablating the capabilities of the enemy; Judging from the last decade or so of American foreign policy it seems to be exactly what is going on.

  4. BristolBachelor Gold badge
    Coat

    By any account, the attack was one of the worst in history

    So in the same press release, did they say how many people's details were spied on by the NSA? was it less than this, or was it something like 98% of the people who use the Internet?

    I'd like to say FUCKING HYPOCRITES but somehow that feels too soft.

    1. Anonymous Coward
      Anonymous Coward

      Re: By any account, the attack was one of the worst in history

      The NSA by default will not get anything even remotely approaching the level of personal information stolen in this case. It will take officially painting a big "target" circle on your back, getting the CIA/FBI and the IRS on your case to join them and even then the information will be incomplete compared to what was lifted here.

      In any case - this type of breach was impossible in the days of paper records. You could not just walk into the archive and truck whole of it out. Files not in use were put into deep storage and not pulled unless under investigation.

      The digital replica of that system _SHOULD_ have followed a similar design where anything and everything that is _ARCHIVE_ is in deep storage. Well it did not. Someone with a total data awareness obsession produced a total data clusterf*ck. Unused data was not cold storaged, air-gapped and there was no rate limit on access to it. Once you got onto the network you could pilfer the whole database and buzz off.

      This is a repeat of the Snowden incident - massive data storage obsession problem open to anyone and storing data in a form which is not fit for purpose by design. Unfortunately, the architects of the problem who instigated the total data awareness clusterf*ck will not be courtmartialed. We will once again have a hapless scapegoat (this time the OPM director) made to walk the plank. And the incident will repeat elsewhere. Again. And again. And again.

      1. Anonymous Coward
        Go

        Re: By any account, the attack was one of the worst in history

        But, they said lessons were learned!

  5. Destroy All Monsters Silver badge
    Facepalm

    "And I think that's a shift that all of us need to be mindful that we need to continue to make."

    Is this why there are efforts to put crypto back in the box now?

  6. Kev99

    It would help if Congress would return the SSN to its original intent in the original law - to identify beneficiaries social security benefits. Not for everything under the sun.

    1. Anonymous Coward
      Anonymous Coward

      I think it doesn't particularly matter anymore...

  7. Anonymous Coward
    Anonymous Coward

    it gets better

    I work for a large government agency and the last few weeks have been amazing. The cleanup we've been asked to do is Exactly.What.We.Should.Be.Doing, in the right order, and with well thought out deadlines. On top of that, the inertia of the OPM breach has allowed us to clean out years of bureaucratic bullshit.

    Now, if we could just break the unions...

    1. Anonymous Coward
      Anonymous Coward

      Re: Now, if we could just break the unions...

      We could grind you plebs right into the ground...

  8. Shannon Jacobs
    Holmes

    Richard Clarke already announced this news

    Look for the book Cyber War. The less things change, the more they stay the same--but I'm not actually blaming the Reg for reporting this non-new news. The devil is in the details, so I only hope my own details were too old to be included... I can think of at least three paths by which I could have been included somewhere...

    1. Destroy All Monsters Silver badge

      Re: Richard Clarke already announced this news

      Please, no Richard Clarke. This is not "cyberwar" or other heavy-breathing fantasy of the ones in need of fame and money, it's just a leisurely download action.

    2. Anonymous Coward
      Anonymous Coward

      Re: Richard Clarke already announced this news

      I wish they had digitized records going back to the 1950's. I'd enjoy finding out that my relatives worked on any of the bomb projects.

      1. Anonymous Coward
        Anonymous Coward

        Re: Richard Clarke already announced this news

        Probably a bit better than finding out that one's relatives managed genocide in Guatemala.

    3. Anonymous Coward
      Anonymous Coward

      Re: Richard Clarke already announced this news

      Shannon, I went and looked. The cutoff is the year 2000 (take that with a ton of salt). I'm far earlier than that ('77), so the rest of my (extended) family. Hope this helps.

  9. DougS Silver badge

    We can only hope it was the Chinese government that got it

    If so at least we don't have to worry about identity theft. If it was some Russian hackers who accessed via a compromised network in China, look out!

    1. Paul Shirley

      Re: We can only hope it was the Chinese government that got it

      Dropping a few million extracts in hacking forms would cause chaos and the US is not going to go to war with China even if they could prove it. Repeat for a couple of years. Watch the US government make increasingly stupid and freedom destroying choices.

      If a government has this and is not one of your allies, you're screwed. You're less screwed of an ally has it... they might use lube.

  10. Shades
    Stop

    James Clapper

    I wouldn't believe a single thing that lying fucking cockwomble says!

  11. ecofeco Silver badge

    Oh the fucking irony

    The Sheriff of Nottingham persecutes his subjects in the name of security, but gets pwned anyway from an entirely different direction.

    How's that domestic spying working for ya, bois?

    Next up, the moral of Marie Antoinette will have to be learned again.

  12. dan1980

    "Certainly, during the Cold War nobody would have thought of OPM as a target for identity theft or espionage," said National Security Council cybersecurity coordinator Michael Daniel during a press conference call on Thursday. "Just the nature of paper files and the way that we thought about information didn't lend itself to that."

    No. Shit.

    And THIS - this right here - is the problem with equating the mass collection of data with anything that has preceded it. Metadata collection is not equivalent to hiring someone to look at addresses on an envelope. CCTV cameras everywhere, hooked up to huge banks of storage and monitored by advanced facial-recognition software is not the same as having an undercover police officer surveil a suspect. And requiring encryption that can be broken by a third party is not the same as being able to enter a house with a warrant.

    Physical files take a certain amount of time and effort to steal, and that increases as the volume of the haul increases. Likewise, trailing a person to find out where they go takes resources and this limits how many people can be so monitored and for how long. Same with search a house - warrant or not - it takes people and planning and time.

    The fact that the 'traditional' way of getting at this information is labour-intensive and, therefore, costly means that law enforcement agencies have to prioritise their resources and results, generally, in having to make a case for assigning those resources to specified targets.

    The current situation, where data on everybody can be slurped without any extra effort, is the essential evil because it makes something that should be exceptional into something that becomes viewed as common-place.

    Glad at least someone in one of our governments has begun to glimpse the hazy outlines of this truth.

  13. Paul J Turner

    I would not be surprised

    if the US didn't think of spooks in the five-eyes alliance as working for them too and so had equivalent information on those people too. If that was shown to have any grain of truth this could get even uglier.

    1. Primus Secundus Tertius Silver badge

      Re: I would not be surprised

      Just what I was thinking.

      Now why do I get all that spam email in Chinese characters?

  14. Maty

    First they slurp all the data they can - legally or otherwise. Then stick it on a server so world + dog can hack it.

    Next, they give a sickly grin and promise it won't happen again.

    Rinse and repeat. And we - the general public - believe them. Right now the security services and general public are in an abusive relationship.

    1. Anonymous Coward
      Anonymous Coward

      I thought OPM maintained records that were filled out by the individuals who's data we can now peruse at our leisure, not captured of the wire by a 1/4 million dollar black box.

  15. Eclectic Man

    It's nice to know ...

    <Sarcasm Alert>

    that they take such care of their own data. After all they have access to all of the visa applications, fingerprints of people visiting the USA on business, oh and financial transaction data from the EU. But that's ok because they wouldn't let anyone gain access to that now, would they?

    <End Sarcasm Alert>

    1. Anonymous Coward
      Anonymous Coward

      Re: It's nice to know ...

      >... access to all of the visa applications, fingerprints of people visiting the USA on business ...<

      So: Having recently visited US under the Visa Waiver Program (ESTA), I have even more recently received an email from the Department of Homeland Security (sic) asking me to participate in an on-line survey and report on my experience of going through the border control system ...

      How paranoid should I be ?

      1. fajensen Silver badge

        Re: It's nice to know ...

        How paranoid should I be ?

        It will probably be wise to use the computer at a public library for that survey!?

  16. Anonymous Coward
    Mushroom

    "We should be improving cybersecurity"

    Good luck with that. Just like GTW, the only way to win this game is not to play.

    There is no legitimate reason for governments and companies to hold private personal information that ruins people's lives when it inevitably gets into the wrong hands. And no one is safe, including the bad guys of all stripes.

  17. Anonymous Coward
    Anonymous Coward

    "We should be improving cybersecurity"

    "There is no legitimate reason for governments and companies to hold private personal information that ruins people's lives when it inevitably gets into the wrong hands." -- Or we could create a system where it'd not matter if your medical history personal details were known. Drop the antagonism. Oh wait, we love it too much....

    1. onebignerd

      Re: "We should be improving cybersecurity"

      Don't get your hopes up, this has been going on since '83 after Pres Reagan saw War Games and asked if that was a reality. Billions of dollars, endless presidential directives and orders, panels and studies and still many systems are 20 - 35+ year old legacy systems running programs years out of support, alot written in Cobol which they spend millions finding people to support. Read the big report just published by Homeland Security and/or read Dark Territory by Fred Kaplan to see the sad shape cyber security has always been in the Government.

  18. Brian Allan 1

    And this is without providing back doors to security keys! Just wait until the government (in their collective wisdom) provides a back door for hackers...

    bwa

  19. Where not exists
    FAIL

    Good luck getting notified...

    The information page about the "incident" on OPM's website states that they will be sending notification letters to everyone effected by the breach. If OPM does as good a job of finding people as the VA did, then most people will never get any notification.

    http://www.npr.org/2015/06/23/416408655/the-vas-broken-promise-to-thousands-of-vets-exposed-to-mustard-gas

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019