Hack Of Federal Gov't Employee Info Is Much, Much Worse Than Originally Stated: Unencrypted Social Security Numbers Leaked

from the because-that's-how-this-works dept

Based on the sketchy information OPM has provided, we believe that the Central Personnel Data File was the targeted database, and that the hackers are now in possession of all personnel data for every federal employee, ever federal retiree, and up to one million former federal employees. We believe that hackers have every affected person's Social Security number(s), military records and veterans' status information, address, birth date, job and pay history, health insurance, life insurance, and pension information; age, gender, race, union status, and more.

Worst, we believe that Social Security numbers were not encrypted, a cybersecurity failure that is absolutely indefensible and outrageous.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community. Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis. While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Over a decade ago, I pointed out thatsingle time there were reports of big "data leaks" via hacking, a few weeks after the initial report, we would find out that the leak was even worse than originally reported. That maxim has held true over and over again . And, here we go again. Last week, we noted that the US government's Office of Personnel Management had been hacked , likely by Chinese hackers. And, now, it has come out that the hack was (you guessed it) much worse than originally reported The President of the union that represents federal government workers, the American Federation of Government Employees (AFGE) sent a letter to the director of the OPM, claiming that the hackers got away with the Central Personnel Data File, which includes full information on just about everything about that employee -- including (get this)Oh, and then there's this:The letter further points out -- as we did last week -- that the 18 months of credit monitoring the government has offered everyone is a complete joke. It's unlikely that the hackers are looking to do identity fraud for financial gain -- and quite likely this is for espionage purposes.But, let's go back to the Social Security numbers being unencrypted for a second. Remember, this hack is being used by intelligence system defenders to argue for why we need stronger "cybersecurity" laws that will give the NSA and FBI much greater access to Americans' data.And, yes, this would be the very same FBI that has actively argued against encryption. And the NSA has always hated encryption and insists it needs backdoors into any encryption.Both of these organizations strongly support "cybersecurity" legislation, claiming that it's necessary so that the US government can "help" companies dealing with "critical infrastructure." And yet, here we are, with the government's own personnel files being held in a system without encryption that was hacked and copied by (likely) foreign hackers. And we're supposed to trust two government agencies who have been going around cursing encryption, that we should give them more access to "protect us" when another government agency's attack likely could have been prevented if they'd just used encryption?As plenty of cybersecurity experts will tell you, the problem in the security realm is not "information sharing." It's people doing stupid things in how they setup their systems. Not encrypting the employee files for every government employee seems to fit into that category. Perhaps, rather than focusing on bogus "cybersecurity" legislation to give more power to the idiots shouting against encryption, we should have the government focus on getting its own house in order, includingemployee data.

Filed Under: cybersecurity, federal government, leaks, opm, social security numbers, unencrypted