The news about the data breach at the U.S. Office of Personnel Management keeps getting worse by the day. How much worse? On June 12, the Associated Press reported that the number of personnel records that may have been pilfered in a stealthy cyber-attack is as high as 14 million.
Meanwhile, The Washington Post is reporting that a great deal more information than just basic name, address and Social Security number details were taken and that, in fact, the database that was breached contained something called the SF (Standard Form) 86, which is a 127-page form that each person who is being considered for a security clearance must submit.
This form is far more detailed than you’d expect for most job positions. In fact, when I submitted my form SF-86, I was required to submit details on every job I’d ever held, no matter how brief or how minor.
I was also required to report on every place I’d ever lived, every place outside the United States where I’d ever traveled, my personal information, ranging from hair color and race to my height and weight. The level of detail was astonishing. But it’s required of anyone who ever had a security clearance. Because I was an officer in the Navy, of course, I had such a clearance.
While I haven’t been notified that my information was taken, OPM on June 15 started to send out notices to those whose data was breached. Each person will get a letter, or in some cases an email, letting them know that this happened and offering a year and a half of credit monitoring and a million dollars of identity theft insurance.
On June 14, OPM spokesperson Samuel Schumach said that OPM had discovered what it called a “separate intrusion” into OPM’s systems that revealed the details of background investigations into former, current and prospective federal employees and others for which an investigation was required. This would include a vast number of government contractors.
But just in case you thought that things couldn’t get worse, a Manassas, Va., security company, CyTech Services may have quietly played a role in determining how the massive breach into OPM took place.
The Wall Street Journal is reporting that this small company visited OPM in April to demonstrate its security software and, in the process, found malware running on several computers inside the agency. CyTech reports that the company remained on-site for several days to assist the FBI and other agencies in the investigation.
In addition to finding that the malware that played a role in siphoning information to whomever breached OPM was still there and still at work, the investigation now indicates that the breach started much earlier than December 2014 and, in fact, may have begun more than a year before that.
OPM Data Breach News Just Keeps Getting Worse
By establishing an earlier intrusion date, one piece of the exfiltration puzzle appears to have been cleared up. As I mentioned in an earlier column, one of the mysteries of the OPM breach is how the Bad Guys managed to move such a vast quantity of data out of the agency in the relatively short time of a month or two. Surely, the question was asked, wouldn’t someone have noticed all of that data moving out?
But if the breach was going on for more than a year, then the volume of data extracted at any one time would likely be much less. Divide that up among several infected computers and it becomes much more likely that such a data theft could have gone unnoticed. Even so, that’s a lot of data, so it still seems likely that not everything on every record was taken.
The likelihood that not everything was taken is cold comfort for the many federal employees, current and former, whose trust in OPM and their government computer security was violated. They may still find that they have to spend the rest of their lives looking over their shoulders.
But it’s potentially worse for the employees of a couple of intelligence agencies. While the Central Intelligence Agency, the State Department, the Defense Department and others do not depend on OPM for security clearances, background checks or personnel records, there’s still a risk.
The intelligence services for each of these organizations will frequently provide cover for their deployed personnel by claiming that they actually work for a civilian agency, such as the Commerce Department or the Agriculture Department.
Now, it will be relatively easy for the Chinese, the Ukrainians or whomever was responsible for this breach to check to see if someone who is presenting themselves as an agriculture attaché actually works for the Department of Agriculture.
I realize this is the first time that the Ukrainians have been mentioned. Initial reports about the breach placed the blame on Chinese hackers, who seem to get blamed for many U.S. corporate or government data breaches.
However, one extremely reliable source tells me that the people who carried out the OPM breach communicated among themselves in Ukrainian. The question is, does that really mean anything? Nobody knows for sure, but that’s pretty much the whole story when it comes to the OPM breach. Perhaps we’ll find out soon.