CNET
A December breach of government systems containing personal information of millions of federal employees was worse than originally thought.
A union of federal workers said Thursday that the attack, announced last week, had stolen confidential information of every single federal employee, past or present -- far more than was previously revealed. The government disputes those claims.
It's the latest in a spree of damaging hacks against the government, including an attack in March 2014 that also involved federal employee records.
Hackers acting in the name of a political agenda, and those paid by other countries, have stepped up their efforts to breach U.S. government systems for a variety of reasons. In some cases, they've hoped to embarrass President Barack Obama's administration, and in others they've made statements about the US military. Successful attacks include a group that breached the CIA's public website, another that took control of the US military's Twitter feed, and a group that successfully intercepted the president's emails.
In this case, if the union is correct, the hack would be the first to affect every employee of any organization or company.
The union's allegations come a few months after Obama promised the federal government would work with companies to protect people from hacks and identity theft. Obama's administration has since blamed Chinese hackers for the breach of federal employee information.
"We believe that hackers are have every affected person's Social Security number, military records and veterans' status information, address, birth date, job and pay history, health insurance, life insurance, and pension information; age, gender, race, union status, and more," American Federation of Government Employees President J. David Cox wrote in a letter to the US Office of Personnel Management. Worse, he wrote the Social Security numbers of employees don't appear to have been protected with encryption algorithms, a standard security measure for sensitive information. Cox called the lack of adequate security controls "absolutely indefensible and outrageous."
Jackie Koszczuk, a spokeswoman for the Office of Personnel Management, said in the Associated Press report that every current and retired federal employee's records were compromised was not correct.
The letter was first obtained by the Associated Press.
The attack was first revealed last week, when the government said the personal information of 4 million federal workers had been breached. The union said it believes "the hackers are now in possession of all personnel data for every federal employee, every federal retiree, and up to one million former federal employees," Cox wrote.
The government has pledged to notify each affected employee of the hack and offer services to help counter any abuse of their information.
the register
And there's more
Have you ever served in the military? Whose military? And how'd that work out for you? Were you honorably discharged or was it something else? Ever been to military court?
And how about the civilian courts and police? Have you ever been arrested for anything in the last seven years? Been charged? Cited? Issued a ticket? And by the way, if the offense involved drugs or alcohol in any way, there's an extra box for you to tick.
While we're on the subject, how would you describe your relationship with drugs and alcohol? Have you ever used any? The form has boxes for you to tick to explain what. Have you ever received counseling or treatment? More boxes. Or how about this: Have you ever been advised to seek counseling or treatment? Let's get it all on the table.
"Has your use of alcohol had a negative impact on your work performance, your professional or personal relationships, your finances, or resulted in intervention by law enforcement/public safety personnel?" Tell the truth.
And in a general sense, how do you feel? Not that the government wants to poke into your mental health – "mental health counseling in and of itself is not a reason to revoke or deny eligibility for access to classified information or for a sensitive position," the form helpfully explains – but no, seriously, have you ever received mental or emotional health treatment? The government would like to know the name and address of your doctor, if so.
And what about money? Have you ever filed for bankruptcy protection? Had problems with gambling? What kind of numbers are we talking about, here? Just curious. Did you pay off your debts? And who were those creditors? Names and addresses, please. And just to be thorough, make sure you list any financial problems due to credit card debts, missed alimony payments, court judgments, liens, tax debts, or anything like that.
Ever had property foreclosed or repossessed? Ever been evicted? Defaulted on a loan? Had bills or debts turned over to a collection agency? Had your wages garnished? Form 86 has boxes for everything.
And the government is particularly interested in your use of information technology systems, which it defines as "all related computer hardware, software, firmware, and data used for the communication, transmission, processing, manipulation, storage or protection of information." If during the past seven years you've accessed any systems without authorization, modified or denied others access to data that you shouldn't have, or installed or used systems that were prohibited, you have a lot of explaining to do.
Finally, when all is said and done, are you a terrorist? No, seriously, there are boxes for Yes and No. And then more boxes. Have you ever tried to overthrow the US government by force or violence? Just asking. Got friends who have? Go ahead and list their contact information.
China knows
The point is, every single person who has ever seriously applied for a position of national security significance in the US federal government has answered these questions, and they are expected to have answered them truthfully. And all of that information is on file in the Standard Form 86 database, which authorities believe has been accessed by hackers with ties to the Chinese government.
The only logical assumption to make is that every single person in the US who has some sort of connection to the intelligence community has been compromised, and no amount of ex post facto countermeasures will ever get all of the cookies back in the jar.
It's a dark day for US intelligence, and much will depend on how the Obama administration responds to the crisis. ®
Yahoo
The U.S. agency burglarized by suspected Chinese hackers has completed its long-awaited damage assessment and more than 22 million people inside and outside government likely had their personal information stolen, officials announced today.
That number is more than five times larger than what the Office of Personnel Management announced a month ago when first acknowledging a major breach had occurred. At the time, OPM only disclosed that the personnel records of 4.2 million current and former federal employees had been compromised.
The extent of the hacking was first reported earlier today by ABC News.
Investigators ultimately determined that 19.7 million applicants for security clearances had their Social Security numbers and other personal information stolen and 1.8 million relatives and other associates also had information taken, according to OPM. That includes 3.6 million of the current and former government employees for a total of 22.1 million.
"If an individual underwent a background investigation through OPM in 2000 or afterwards ... it is highly likely that the individual is impacted by this cyber breach," OPM's statement said today.
Even before today's announcement, there was little doubt that the universe of victims was vastly larger because the hackers had access to far more than personnel records, including files associated with background investigations and information on government workers' families, sources said.
In fact, the hackers allegedly rummaged through various OPM databases for more than a year -- and lawmakers and U.S. officials alike have described the breach as a significant threat to national security.
"It is a huge deal," FBI Director James Comey told a Senate panel on Wednesday.
Since reports surfaced saying more than just personnel records were stolen, the Obama administration has publicly maintained the theft of background-investigation files was a "separate incident" still under investigation. Some U.S. officials and lawmakers believe that distinction -- encompassing the same cyber-campaign -- kept the full scope of the OPM breach hidden for weeks.
"I'm sure you will probably obfuscate, [but] when will the American people know ... the extent of this penetration?" Sen. John McCain, R-Arizona, asked OPM Director Katherine Archuleta at a hearing on Capitol Hill two weeks ago.
Despite mounting public pressure and push-back from top FBI officials during closed-door briefings, senior OPM officials continued to say they couldn’t offer even an estimate until they determined exactly how many people were affected by the "separate but related incident." As part of a "time-consuming analysis," investigators had to ensure they weren't double-counting people whose personal information may have been stored in more than one system breached, Archuleta said two weeks ago.
"Throughout this investigation, OPM has been committed to providing information in a timely, transparent and accurate manner," OPM said in a statement today.
U.S. intelligence and law enforcement officials are particularly concerned over the theft of forms known as SF-86s that current and prospective federal workers, including certain military personnel and even contractors, submit for security clearances. The forms require applicants to provide personal information not only about themselves but also relatives, friends, “associates” and foreign contacts spanning several years. The forms also ask applicants about past drug use, financial history, mental health history and personal relationships.
Such information could be exploited to pressure or trick employees and U.S. officials into further compromising their agencies, or they could provide ways for hackers to target people outside government, sources have told ABC News.
An OPM system known as "e-QIP" that allows applicants to submit SF-86s and other materials online remains suspended in the wake of the breach.
The attack on OPM began in late 2013, when hackers infiltrated the systems of a government contractor, KeyPoint Government Solutions, and stole the "credentials" of an employee, according to two days of testimony on Capitol Hill.
Sources suspect that was the start of an unprecedented cyber-campaign out of China to collect information on federal workers inside the United States and others around the world.
A major breach of OPM systems wasn't detected until April, after OPM began implementing new cyber-security measures. That led investigators to realize the files associated with background investigations had been taken.
OPM is now offering what it calls "a comprehensive suite of monitoring and protection services" to those impacted.
"it takes two sides to end a war but only one to start one. And those who do not have swords may still die upon them." Tolken
