from Hacker News

Office of Personnel Management Says Hackers Got Data of Millions of Individuals

by mrmaddog on 7/9/15, 8:12 PM with 80 comments

  • by murbard2 on 7/9/15, 10:28 PM

    And yet, tomorrow they'll have no qualms making the case that, of course, the government can securely keep backdoor keys to investigate encrypted communications.

  • by fixermark on 7/9/15, 8:34 PM

    No surprises there.

    I get deeply frustrated (though I understand where they are coming from) when governments make the argument that they can't take advantage of this or that cloud service because the service's security isn't vetted. Clearly, the security in the backing systems owned by the government isn't sufficiently vetted either, so they're sacrificing velocity for non-security.

    I know, it's a flippant attitude. Blame a lousy day. ;)

  • by hamburglar on 7/9/15, 9:20 PM

    When are we going to move from a nine-digit number to something a little more secure for identity? I effectively want a public key and a private key and require signing of forms submitted as me.

    edit: Freely provide easy to use tools for doing the signing and verification, and for people who still aren't savvy enough to do it themselves, train notaries to do it.

  • by bitJericho on 7/9/15, 8:56 PM

    The worst of this is that I had just taken a government job when the 4.2 million person breach was claimed to have happened. I had very serious concerns about giving out so much (and it was an absolute ton, more than any other employer I've ever worked for) information. I had thought about not taking the job but like many Americans I really didn't have much of a choice. The choice was homelessness and perhaps even going to court for failing to pay my obligations, or a nice comfy job and pay.

    Why does the government need so much data on its employees; that's what should be asked!

  • by dguido on 7/9/15, 10:09 PM

    Before you start shitting on OPM and the like, is this any different than what would happen if a dedicated attacker came after the most valuable data in your company?

    Clearly, OPM should know, but omg is the state of security poor.

  • by aburan28 on 7/9/15, 8:57 PM

    This hack occurred well over a year ago. The DoD knows exactly how many people this affected as it was informing its employees to be wary of the implications of this (telling their kids to watch out for Chinese blackmail, potential social engineering attempts with more informed information from the data dump). I am honestly surprised this story took this long to be discovered.

  • by melipone on 7/9/15, 11:41 PM

    There is a petition on whitehouse.gov to get free identity theft insurance coverage for life: https://petitions.whitehouse.gov/petition/provide-lifetime-i...

  • by mirimir on 7/9/15, 9:27 PM

    The NSA was slow in adapting to the Internet. Also, US cyberwar efforts have been too focused on offense. They've assumed technological superiority. That was safe 20 years ago (maybe even 10) but it's clearly not safe now.

  • by codesilverback on 7/9/15, 9:34 PM

    So did anyone get fired?

  • by ebel on 7/9/15, 10:10 PM

    AWS Govcloud has a very small subset of AWS public features. Enough to get the job done though. Most importantly, it complies to all the FedRAMP, ITAR standards. The Government is just inherently slow in adopting and leveraging AWS's awesome infrastructure.

  • by justonepost on 7/9/15, 11:32 PM

    What's problematic about this is clearance data usually involves investigators asking questions of references of the applicant: "Do you know anything that could be used to blackmail the applicant into revealing confidential information?" If that sort of info was saved (even for those rejected clearance because they DID find something) and stolen in this hack, that could be rough going for a lot of folks.

    https://www.clearancejobs.com/security_clearance_faq.pdf

    "What will I be asked during a security clearance interview? During a ESI, the investigator will cover every item on your clearance application and have you confirm the accuracy and completeness of the information. You will be asked about a few matters that are not on your application, such as the handling of protected information, susceptibility to blackmail, and sexual misconduct. You will be asked to provide details regarding any potential security/suitability issues. During a SPIN, the investigator will only cover the security/suitability issue(s) that triggered the SPIN. The purpose of the SPIN is to afford the applicant the opportunity to refute or to confirm and provide details regarding the issue(s)."

    More:

    http://www.navytimes.com/story/military/2015/06/17/sf-86-sec...

    "They got everyone's SF-86," one Pentagon official familiar with the investigation told Military Times.

    "The SF-86, a 127-page document, asks government employees to disclose information about family members, friends and past employment as well as details on alcohol and drug use, mental illness, credit ratings, bankruptcies, arrest records and court actions."

    ..

    http://news.clearancejobs.com/2015/06/13/sf-86-stolen-opm-ha...

    "The entirety of at least some SF-85 and SF-86 background investigations held on OPM servers were breached, meaning sensitive data including relatives, spouses, and sensitive information on everything from mental health counseling to sexual behavior is now in the hands of the Chinese government."

    And if you're really bored:

    https://www.opm.gov/Forms/pdf_fill/sf86.pdf

  • by spoiledtechie on 7/10/15, 12:32 AM

    I would like to ask a question, but its real. How many of you yes and no, would be willing to go to war knowing that China is making a record of every single interesting person in the United States? Would you physically be willing to go to war over that fact? They are literally profiling us and it seems like the average US citizen gives 2 shits.