The National Federation of Federal Employees is calling out the Office of Personnel Management for downplaying the extent of a December breach which may have leaked the personnel data of every federal employee, every retiree, and up to one million former federal employees. OPM was called out by the union in a letter to OPM Director Katherine Archuletta, obtained by the Associated Press.
“We believe that Social Security numbers were not encrypted, a cybersecurity failure that is absolutely indefensible and outrageous,” the letter said.
This week Sen. Harry Reid confirmed the hack was carried out by the Chinese, although OPM and the White House have refused to say who is behind the attacks and China denies the allegation. Earlier this week government officials noted the attack appeared to be state-sponsored and tied it to a larger effort by the Chinese government to create a database of US government employees.
What’s in a personnel file?
A Central Personnel File contains up to 780 pieces of information about an employee. Hackers are believed to have stolen address, birth date, social security information, job and pay information, pension information, age, gender, race and more. That much of the information, including social security numbers, appears to have been unencrypted has cybersecurity professionals shaking their heads.
Aiding the Chinese Commercial Sector Spy Game
Access to such wide-ranging information about current and former feds is most likely to be used for blackmail, or to create spear phishing campaigns to inject spyware on users’ computers. Given the Chinese government’s history of blending military cyber attacks with commercial sector attacks to to benefit state-sponsored corporations, the breach is a nightmare for both the government and private sector. Given that the information breached includes former feds, government employees now working in positions in the private sector are just as likely to be exploited in an effort to attain corporate secrets and economic advantage.
Background information data in jeopardy?
Because details of the December attacks continue to slowly trickle out, many are beginning to doubt that the breach did not affect background investigation information. OPM conducts the majority of background investigations for both government employees and contractors. Access to background investigation data would allow the Chinese government to create a database of cleared professionals, as well as providing a wellspring of information that could be used by foreign intelligence officers to extract data or blackmail current IC employees.
OPM continues to provide minimal information about the breach, stating that for security reasons they will not confirm the specific information breached. For all federal employees, it’s a good time to be particularly cautious of any email or unsolicited contact.