US OPM boss quits after hackers stole chapter and verse on 21.5m Americans' lives The director of the US Office of Personnel Management has handed in her resignation in the wake of further revelations about the scale of the hacking attack on the agency. "This morning, I offered, and the President accepted, my resignation as the Director of the Office of Personnel Management," she said in a statement. "I …
Last month, the OPM admitted that the personnel records of 4.1 million federal government employees had been stolen from its servers by hackers unknown. Then on Thursday the OPM revealed that an additional 21.5 million dossiers...
So that 25 million Merkans lives...
that we know about...
so far...
The most disturbing aspect of this is the fact that one side of the Government is pushing for back-doors in encryption technology, and another side of the Government is losing the data that can allow the key-holders of the back-door to be blackmailed. Bravo!
Sorry, when I see statements like these:
... an additional 21.5 million dossiers... had been filched by hackers. The intruders had spent six months in the agency's servers.the agency wasn't even sure how many computer networks it had.
I say that translates to 'we don't know what they took, how long they had been there or how well they really covered their tracks.'
As a result I would posit that if you ever filed for a security clearance then you can safely assume that your data was taken. This is no different from walking into the room of the worst hoarder and trying to figure out what was stolen over the course of who knows how long by looking where the dust was disturbed.
"if you ever filed for a security clearance..."
I expect not. OPM was quite a bit behind in digitizing old documents, probably including the security clearance questionnaires and any information collected during background investigations. From 2003 or so the SF-86 form was a filled PDF served by OPM, and I think the background investigation data was set up similarly; those surely are gone. SF-86 before then and other similar forms such as the SF-85p may still exist only on paper. Newer ones and the related background investigation data probably were digitized as received and older ones would have been done as time and other resources allowed; some of those may not be gone, but the more recent ones that matter the most probably are. The backfile conversion data may be scanner output files, a bit more difficult or costly to use than the recent SF-86 data.
OPM may never know enough detail about it to be sure, but over time will come pretty close. There is likely to be uncertainty about the status of those in process during the breach period, whether new or backfile conversion. Similar considerations probably apply to other types of clearance processing, for example National Agency Checks and National Agency Checks with Inquiries. OPM probably will notify everyone whose information cannot be shown never to have been digitized.
This post has been deleted by its author
Granted to many he was the lesser of two shitty choices each time but I didn't think an administration could hold its own people less accountable than Bush did until Obama came along. I think he actually thought his political hack buddy could weather the storm. Just showing once again neither party gives a damn about the country (this problem has been many administrations in the making), only their own power.
She's retiring - can't say I blame her, I'd do the same thing if I could afford it.
But what boggles the mind is - just what in heavens name was this stuff doing connected to the Internet in the first place? Chances are it was some automated program at the NSA that took the stuff anyway.
As noted, the paper SF-86 has been replaced by an application served from OPM. That is not a reason to for the database containing the data to be on a network attached to the internet. At my former agency (not OPM) we were exceedingly careful about Personally Identifiable Information leaks; this is the mother all PII compromises.
For one thing, everyone and their brother wanted interviews, to point the blame, etc. The new person will at least have a few weeks before the next sh**storm hits.
And, this being politics, a head rolled. Congress will be happy as they found a scapegoat. The media will be happy and find the next "big story". The populace will fall back into a state of apathy and listening the politicos various ranting as it's "pre-election season".
Why is it that with time, I gaining cynicism and not losing any like I lose my hair?
So if your credit card is stolen, banks will freeze the card immediately; and they issue a new card lickety split. If a Social Security Number is stolen the SSA yawns, and 21.5M people suffer the consequences.
The conspiricy theorist in me wonders why.
Laziness, cheapness, incompetence, stupidity, _______ - you fill in the blank.
I think the only one you forgot is lack of planning. A Social Security Number is only nine digits so the theoretical maximum is a billion numbers of which several groups are either reserved or invalid, good luck getting a number starting with 666 for instance. Also about 450M numbers have been issued1. In short about half of the numbers have been used and the SSA states that they will not reuse any number. If they started handing out new numbers every time the gubbermint or some similarly incompetent private organization fucked the dog, they would have run out of numbers weeks months years or even decades ago.
1. See Q19
Eddy, why not make the number space bigger? Eventually the SSA will run out of numbers. Virtually the entire free world did it for Y2K. The world is doing it with IPV6. Tell me the SSA can't.
Not all organizations that gave up personal info is incompetent; sometimes the criminals are smarter. Heck even RSA got hacked.
Virtually every American has multiple credit/debit/ATM cards; how does VISA, MasterCard, AMEX, and Discover Card cope?
Why? Simple, we're talking about the same SSA that has been struggling for years to keep it's systems updated. There's a reason they are so adamant about not changing things. Besides it will take the SSA fifty years to figure out how to expand the space without breaking existing code or mistaking a SSN for a credit card or telephone number. In the end it will wind up being an internal political war between the SSN+4 faction going against the HEXers a.k.a. 0xSSN faction.
@EddyIto.
I don't think you would get any arguments from many about the general incompetence of government bureacracies.
And I don't think that anyone would argue that in the US that easily stealable SSNs contribute to stolen identities.
Given these two factors, what would you propose to stop indentity theft?
A "sexortionist" gets 105 years time for getting (~200) idiotic teens to choose to send him explicit pictures of themselves then blackmailing them, whilst the US OPM has merely lost her job and almost certainly faces no charges for negligence that amounts to potentially 21 million financially ruined lives. Justice, you gotta love it, eh?
No doubt her parting words, as for every public servant in this situation, were: "I've done nothing wrong".
Password rules : Should I disallow “leetspeak” dictionary passwords like XKCD's Tr0ub4dor&3
Asked: Today
I am the lead developer for an upcoming government website which will expose sensitive personal information (criminal history, SSNs, etc primarily). The website will be consumed by the general public, for doing background checks on employees etc.
One arm of the US government - the NSA - conducts the most intrusive sweeping data intelligence gathering activities, targeting foreign governments (friendly and not), commercial interests (Petrobras et al.), and even American citizens.
Another arm of the US government compiles and stores sensitive data on American citizens who work for Government agencies and the military and fails to implement even rudimentary safeguards to protect sensitive information.
The FBI and other law enforcement agencies are purchasing Italian spyware to use in investigations, and they are asking for backdoors in encryption technology. Multiple law enforcement agencies are conducting extensive domestic surveillance using aircraft, automated license plate reading technology and tracking movements and communications of Americans without warrants.
There are numerous reasons for patriotic Americans to question whether the US government is acting in our best interests and according to our values. It is evident that the government cannot be trusted with our data and it cannot be trusted with oversight. The wonderful thing about the Internet age is that it enables the people to take back their government in new and interesting ways. Americans are nothing if not inventive. I expect interesting times ahead.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
