Why the theft of OPM data is so awful

Yes, it’s another cybersecurity post. It’s becoming more of an issue for all of us and you’d better be prepared.

You’ve probably heard that the Federal Office of Personnel Management (OPM) was recently hacked and a lot of sensitive personal data was stolen. But it’s much worse than originally reported. Also stolen was a second set of data, the Standard Form 86 (SF 86).

The SF 86 “QUESTIONNAIRE FOR NATIONAL SECURITY POSITIONS,” is a 127-page form that asks (among other things), where applicants have lived; contacts with foreign citizens and travel abroad; the names and personal details of relatives; illegal drug use and mental health counseling except in limited circumstances. It is filled out by anyone who is looking for a security clearance.

It is rumored that the data was stored, for no discernible reason, on Dept. of the Interior servers. The data was not encrypted, but the OPM is claiming that it wouldn’t have mattered as the attackers possessed valid network credentials and could access the data in unencrypted format. There was no two-factor authentication in use. Needless to say Congress is having a cow.

Fingers are being pointed at China for this attack (they of course deny it). It certainly sounds like it’s state-sponsored given the data stolen and its potential for use in blackmail and espionage. If you have a clearance of any kind you’re potentially a target now that the attackers know more about you than anyone else (including possibly your spouse).

[Update 6/23/2015] Hey, remember when I said it was “much worse”. Well, it’s even worse than that. It’s possible up to 14 million records were obtained, essentially everyone who has ever worked for the federal government. All of them now in the hands of a foreign government.

Leave a Reply