Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Privacy China Government United States

More Than 22 Million People's Data Compromised By OPM Hack 67

OutOnARock writes with news that the Office of Personnel Management data breach reported earlier this month was actually far worse than earlier estimates had it; in all, it seems that more than 22 million people (not all of them government employees) had personal information compromised by the breach. From Yahoo News's coverage: That number is more than five times larger than what the Office of Personnel Management announced a month ago when first acknowledging a major breach had occurred. At the time, OPM only disclosed that the personnel records of 4.2 million current and former federal employees had been compromised.
This discussion has been archived. No new comments can be posted.

More Than 22 Million People's Data Compromised By OPM Hack

Comments Filter:
  • by Anonymous Coward

    Peasants you know what to do!

  • by __aaclcg7560 ( 824291 ) on Thursday July 09, 2015 @05:14PM (#50078385)

    My two-hour background investigation interview lasted four hours because the bureaucrats in Washington couldn't understand how one person can have multiple jobs. After being out of work for two years (2009-2010), underemployed for six months (working 20 hours per month) and filing for Chapter Seven bankruptcy in 2011, don't you think a person would work a regular Monday-Friday job and a weekend job to get his finances in better shape? Meh...

    Enjoy my case file, hackers! I hope your head explodes from my employment misery!

  • by turkeydance ( 1266624 ) on Thursday July 09, 2015 @05:30PM (#50078455)
    for everyone to read
  • by Anonymous Coward

    I believe that brings the total number of people compromised in the past few years up to about, oh, a hundred million.

    • We should build a database of people who have not yet been compromised. It'll be easier to keep track of.
  • Only the Civ Gov side.

    So, only one of the five spy agencies you know about.

    • Eh?

      1) The IC comprises 17 agencies. That's not a secret. Anymore, at least.
      2) Some of those agencies use OPM for background investigations, and some don't. I can tell you that the distinction is not strictly military/"civilian" though.
      3) Some (not a small number) of the people that work at those agencies have pre-existing background investigations from prior employment, be it military, civilian, or contractor. It's not an impossible task to use data mining to map past background investigations to curren

  • by Anonymous Coward

    22 million government workers get hacked probably because some anus site got SQL injected.

    The NSA spends no time auditing it's own systems to protect American citizens, and All of it's time spying on Americans and "terrorists"

    If the NSA's mission is to truely defend America, how come sensitive government systems are still prone to SQL injection?

    Let this all sink in.

    • by DarkOx ( 621550 )

      I think that is the problem the NSA's mission isn't defense its offense largely. We don't really have a cyber (ugh I can't believe I just wrote that word) defensive force. We probably should but we leave that to 'domestic' agencies like the FBI and other groups we rolled up into Homeland Security.

      Remember the "Department of Defense" (although there were some other reorganizations and mergers) was essentially created by renaming the "War Department" because its politically more palatable to have a "defense

    • 22 million government workers get hacked probably because some anus site got SQL injected.

      The NSA spends no time auditing it's own systems to protect American citizens, and All of it's time spying on Americans and "terrorists"

      If the NSA's mission is to truely defend America, how come sensitive government systems are still prone to SQL injection?

      Let this all sink in.

      If the NSA actually protected US citizens from being hacked how would the other 4 eyes of the 5 eyes treaty spy on Americans?? Don't be stupid, part of the NSAs job is to make SURE that you can be hacked by the other 4 eyes (CSIS, ASIS, NZSIS and GCHQ).

  • This database should contain all the personal details on spies. If this was stolen by China, why haven't we heard about every spy being pulled out of China and Russia? They are friend-enemies after all.

    Any chance this hack done by the NSA to help get more funding and show the Americans how much they are needed to keep us safe? The NSA would know all the details of how the OPM works. Easy target.
    Go into a big Chinese bank. What do you see? Most of the computers used for operations are still running XP.

    • Paranoia getting the better of you?

      First off, it would take a particularly stupid intelligence agency to keep its personnel records on OPM computers where just anyone could see them.

      Secondly, unless you're absoutely sure who has the information, you don't confirm it for the world by a quick (over-)reaction.

      And thirdly, why do you think YOU would notice what the government was doing with its embassies? If it were doing something abnormal, would you even recognise it as "something abnormal"?

      • Paranoia getting the better of you?

        That's the first problem when you have an agency like the NSA. There's absolutely nothing to stop them from doing something like this and arguing later that it was for national security.

        First off, it would take a particularly stupid intelligence agency to keep its personnel records on OPM computers where just anyone could see them.

        This is the second problem when you have an agency like the NSA. You believe, like in the movies, all the top talent is there and nothing like this could happen. But in reality, all the talent that's willing to do what their told without question is what's there. Quality may not be their strong suit, and again, this is the f

      • by AHuxley ( 892839 )
        Re "Secondly, unless you're absoutely sure who has the information, you don't confirm it for the world by a quick (over-)reaction.
        And thirdly, why do you think YOU would notice what the government was doing with its embassies? If it were doing something abnormal, would you even recognise it as "something abnormal"?"
        Most other nations do really try to really count every passport in and out and do have working, fully updated databases, other paper work and tax systems to track every worker.
        Most nations do
      • by DarkOx ( 621550 )

        personnel records on OPM computers where just anyone could see them

        Would it. That information is still needed. Paychecks have to get cut etc. All these clandestine people need some kind of cover. So why not give them "jobs" as administrative employees in what everyone already understands to be a giant bureaucracy. That way if anyone inside or outside goes looking for information they find exactly what they expect.

    • by AHuxley ( 892839 )
      Russia and China dont have to care. They think very long term and have all their real contacts in cleared US gov/mil position going back generations and many decades.
      They trust their own contacts within the US system and have fully tested them going back decades.
      Russian and China also understand the "Limited hangout" https://en.wikipedia.org/wiki/... [wikipedia.org] of any bulk files.
      How many US mil traps and gems are really in that data? Go looking over bulk data and what for?
      Russia and China have always understoo
      • Russia and China dont have to care. They think very long term and have all their real contacts in cleared US gov/mil position going back generations and many decades.

        That is their strength compared to the democracies of the west. The democratic powers can only plan maybe 8 years ahead (if they are feeling very confident).

        • by AHuxley ( 892839 )
          Re "can only plan maybe 8 years ahead (if they are feeling very confident)."
          The West could not even hold the one type of database it really, really, really had to hold as a good secret away from random, fast, open public networks.
          So some cleared contractor could go to some out of state jobs fair, find some needed translator or skilled expert and get them cleared to start work sooner to bid on some federal task 'sooner'...
          Just so the private sector could feel more happy about getting more federal funding
      • Limited hangout is wishful thinking. Anyone who is any good at this game gets everything they want from the limited hangout, regardless of the intent to deceive. Even misleading, incomplete, or deceptive data is still data.
    • NSA doesn't need to do any of that. Their budget is made up of money laundered through programs with boring names so nobody can tell what they get anyway.

      And if they want the data all they have to do is ask OPM. Or offer to store backups for them. The privacy act protections are almost nonexistent and completely worthless.

    • by notea42 ( 926633 )
      Wrong - the CIA keeps its own records separate, for exactly this reason. FBI, DoD, and Contractors however were screwed by this.
  • by AHuxley ( 892839 ) on Thursday July 09, 2015 @06:07PM (#50078673) Journal
    The US gov seemed to have really understood all the issues the UK and other nations had with selecting and sorting cleared staff from the UK security issues of the 1930's to 1980's.
    Full background interviews, real cleared US gov staff looking deep into a persons submitted life story and the looking at the facts on the ground anywhere in the US.
    Life story, education, friends, mail, reading material, calls logs all allowed the US gov to select the more useful and smart people for sensitive positions.
    Over the past decade the move was to finding staff with unique skills quickly and trying to ensure US security paperwork was not going to be any issue for contractors, ex staff, former staff, people moving from the private sector into gov or gov into the private sector. All while keeping or re using past security access.
    The US gov and mil could ensure skilled staff from the public and private sector where ready, could be found and sorted regionally and quickly for any task in or out of the USA.
    The problem for the US gov is it needed so many contractors quickly and hoped remote digital files could 'clear' a boss and their new company or past contractor/mil/gov staff for new gov/mil/contractor work.
    Vast new online digital databases allowed for lucrative jobs to be handed out and any security issues to fixed quickly.
    The down side of this rapid system what what is what was fully understood by the US, UK, Australian and many other nations since the 1950's from their WW2 and 1930's security issues. Dont hire or create security in haste and keep the files away from all other people in gov, mil, private sector and other nations. How or why the US gov ever let go if its most secure files for national remote access is a real mystery.
    Other nations who kept their files safe from new contractors needs and within the gov seemed to have understood the issues of rapid security expansion expansion and all the remote database issues. Why did the US gov and mil think it was a good idea or safe to allow complex files of that nature to just move regional and national networks from the mid 1990's on?
  • by BoRegardless ( 721219 ) on Thursday July 09, 2015 @06:42PM (#50078883)

    That will happen. It is only a matter of time.

    • by Anonymous Coward

      To what end? Those aren't exactly people ripe for identity theft. You'd have a bunch of low-credit, low income people who couldn't get a high interest car loan, much less be of use to anyone in China.

    • That will happen. It is only a matter of time.

      Haven't you been paying attention? They already hacked blue cross, which is a shitload more concerning in terms of intelligence targets than hacking health care info for America's poor and out-of-work.

  • No more NSA (Score:4, Interesting)

    by Charliemopps ( 1157495 ) on Thursday July 09, 2015 @06:46PM (#50078901)

    So the NSA is clearly useless, and making the situation worse. They are not, and cannot protect us electronically. Instead, they are collecting all of our information and storing it for the inevitable hack that will give it to the rest of the world. The first question I ask when I'm asked to secure data is: "Do we actually need this data?" You can't steel what doesn't exist. Why the hell did this agency have data on people going back to the 1980s? Why is the NSA collecting data on all of us? It's a pointless endeavor that's putting us all at risk.

    • So the NSA is clearly useless, and making the situation worse. They are not, and cannot protect us electronically. Instead, they are collecting all of our information and storing it for the inevitable hack that will give it to the rest of the world. The first question I ask when I'm asked to secure data is: "Do we actually need this data?" You can't steel what doesn't exist. Why the hell did this agency have data on people going back to the 1980s? Why is the NSA collecting data on all of us? It's a pointless endeavor that's putting us all at risk.

      The NSA don't want to protect you electronically. They need to make sure that their buddies in 5 eyes can spy on you. GCHQ, CSIS, NZSIS and ASIS all have to be able to hack you, spy on you etc. The NSA doesn't want to stand in the way of that. Hence counterintelligence operations in the 5 eyes nations are a shambles.

  • Comment removed (Score:5, Insightful)

    by account_deleted ( 4530225 ) on Thursday July 09, 2015 @08:53PM (#50079437)
    Comment removed based on user account deletion
  • Until about a year ago, I had a security clearance. So I'm one of the 22 million. I've already been contacted by our site clearance officer. They gave me this link from the OPM [opm.gov] about the breach, which has more information than the links in the article.

    For those who haven't gone through it, during a background search they send actual human beings around to your friend and family, and then to second-order contacts they know who know you, to ask questions about you. So the OPM, and now the hackers, literally

  • Could someone just publish a list of everyone's name, phone numbers, addresses, and SSN's already? Then there would be some motivation for people and organizations to learn the difference between identification and authentication. Knowing a number with nine or so digits associated with an individual shouldn't give you access to their credit, whether it's their SSN or their telephone number.
    • I think you've hit on something here. The reason I think it hasn't been done yet is that it makes people work much harder at authentication, and (so far) it is too expensive to implement authentication that doesn't use the obscurity of the personal identification data.

IOT trap -- core dumped

Working...