OPM: The worst hack of all time

The federal government personnel security breach is bigger and worse than you can imagine.

Hi, my name is Steven J. Vaughan-Nichols and I had a security clearance in the 1980s. Because of that, my personal records are likely to have been revealed by the Office of Personnel Management hack.

Big deal, right? What could be so important about my 30-year-old records that it would matter to me today?

Oh, let me think. There's my Social Security number, my birthday, my birthplace, everywhere I had lived for 10 years before I got my clearance, the full names of all my relatives -- you know, everything you'd need to steal my identity.

Does that sound like I'm overstating the case? I'm not. When you get a security clearance, they want to know everything about your life.

Check for yourself. The current Questionnaire for National Security Positions form (SF-86) is 127 pages long. It asks for information on everywhere you've lived in the last 10 years, every job you've had for the last 10 years, and any visits to a healthcare professional for emotional or mental health conditions in the last seven years.

Then, of course, records checks may also be made on your spouse, roommates and immediate family members. Oh, and by the way, "immediate family" means your spouse, parents, step-parents, siblings, half- and step-siblings, children, stepchildren and cohabitants.

Except for the name of your first pet, the SF-86 pretty much covers every question you've ever been told you could use for your "security" question.

I understand why they ask those questions. What I don't understand is why Congress never anted up the cash to encrypt those records or secure them in any meaningful way.

While I'm grousing about this, I'd also like to know why it appears that some OPM contractors may have been Chinese nationals -- working from China.

You can't make this stuff up. Who needs hackers, when the U.S. government will hire you to manage its top-secret goodies?

What's that you say? It was only 4 million records? Oh no, my friend. It was at least 18 million. That's 18 million former, current and would-be federal employees and contractors.

But, wait! It may be 32 million!

I've reason to believe it was at least that many. I just haven't been able to get anyone on record with that number. But trust me, the OPM data breach is bigger and badder than anything else that's ever happened.

Now, let's think about the next steps. Clearly, the entire government personnel system will need to be cleaned up. There's a bigger issue, though.

The U.S. currently has about 319 million citizens. Of those, 10% of them may have had their Social Security numbers revealed. Think about it.

Now, if China has all that information, it may not matter that much. Seriously, does Beijing care about my Social Security benefits? I doubt it.

But let's say I held a sensitive government position and had a cousin living in Hong Kong. Then it would be a different story. In that case, I could foresee getting a call from a burner mobile phone telling me that if I'd like to keep my cousin safe, I might want to share a little information with someone.

Let's say the hackers were run-of-the-mill crackers instead of a nation state. After all, a bright teenager could have broken into the OPM. If that's the case, what's to stop them from practicing identity theft on an epic level?

I'll tell you what: nothing. The feds tried -- and failed -- to set a credit and identity protection plan. Eventually, they'll get it right, but so what?

Ten percent of Americans may have had their identities permanently compromised. So, what are we going to do?

No one's talking about that yet. But here are some real possibilities: 1) Junk our current Social Security numbers. 2) Bring back the much-hated idea of a national ID card. Or 3) Reauthorize every last person whose ID has been revealed and give them new Social Security numbers.

Any way you cut it, fixing this is going to take a minimum of tens of billions of dollars. Frankly, I wouldn't be shocked if the bill ends up running into hundreds of billions. At the same time, no one is going to be happy with any of these solutions.

An ancient "ha-ha-but-actually-serious" computer joke goes, "To err is human, but to really foul things up, you need a computer." That joke has never been more serious.

Join the CSO newsletter!

Error: Please check your email address.

Tags data breachesdata securitysecurityOffice of Personnel Managementbecadata protection

More about

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Steven J. Vaughan-Nichols

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place