The Office of Personnel and Management was hacked by China recently in what some are calling the worst security breach in American history, bigger it seems than the metric ton of NSA secrets that Edward Snowden piled on The Guardian.
To catch you up, the Chinese apparently wormed their way into the OPM’s personnel files and stole, well, everything, from social security numbers to basic personal information files, from pretty much anyone who has ever presented the information to the Federal government, including all employees and applicants. In other words, the Chinese now have the sensitive information of possibly millions of Americans. Now, they’ve already said that they intend to use that to try to turn certain Americans into spies, which seems inordinately difficult given how much information we already share about ourselves on social media, but the OPM seems relatively unconcerned, and the President has even expressed confidence in how she’s managing this ridiculous situation.
If that seems weird, consider that the OPM knows it might be less that the Chinese hacked their way into our systems and more that we gave them all of the resources they needed. According to Ars Technica, the OPM has been outsourcing their personnel files management to others for a while now, some of whom didn’t exactly have top secret clearance – and some of whom were located in the People’s Republic of China.
But some of the security issues at OPM fall on Congress’ shoulders—the breaches of contractors in particular. Until recently, federal agents carried out background investigations for OPM. Then Congress cut the budget for investigations, and they were outsourced to USIS, which, as one person familiar with OPM’s investigation process told Ars, was essentially a company made up of “some OPM people who quit the agency and started up USIS on a shoestring.” When USIS was breached and most of its data (if not all of it) was stolen, the company lost its government contracts and was replaced by KeyPoint—”a bunch of people on an even thinner shoestring. Now if you get investigated, it’s by a person with a personal Gmail account because the company that does the investigation literally has no IT infrastructure. And this Gmail account is not one of those where a company contracts with Google for business services. It is a personal Gmail account.”
Some of the contractors that have helped OPM with managing internal data have had security issues of their own—including potentially giving foreign governments direct access to data long before the recent reported breaches. A consultant who did some work with a company contracted by OPM to manage personnel records for a number of agencies told Ars that he found the Unix systems administrator for the project “was in Argentina and his co-worker was physically located in the [People’s Republic of China]. Both had direct access to every row of data in every database: they were root. Another team that worked with these databases had at its head two team members with PRC passports. I know that because I challenged them personally and revoked their privileges. From my perspective, OPM compromised this information more than three years ago and my take on the current breach is ‘so what’s new?'”
That’s good news.
With everything else going on, it’s easy to see how something like this slips through the cracks. After all, the situational vaguaries are almost endless. The government has no idea how much information was stolen, when it was stolen or who it was stolen by, just that it was stolen and it was a lot of stuff. Without any specific information, they can’t specifically apologize, which means that no one can do any specific coverage, especially while there are more interesting stories on the horizon, like whether or not Rachel Dolezal has a sex tape.
The Chinese probably know that, too, by the way.