OPM handed employee data to Chinese/Venezuela
I got my promised email the other day notifying me that my PII was part of the data that the Office of Personnel Management lost to Chinese “hackers”. The solution was an email to the same address that the Chinese now has and it included a link that I was supposed to click and then enter my PII on another website, you know, so that someone else would have the opportunity to lose my information, you know someone that hasn’t had an opportunity to lose it yet, after the Department of Defense, the Veterans’ Affairs Department and now OPM had all lost control of it. This last time it might be worse, though – if they lost control of my application for my security clearance, they also got a hold of all my friends and family information, as well.
So, how did that happen? According to Business Insider, the Department of Homeland Security Assistant Secretary for Cybersecurity Dr. Andy Ozment told the House Oversight and Government Reform Committee that the systems administrator for the information “was in Argentina and his co-worker was physically located in the [People’s Republic of China].”
From Ars Technica;
But even if the systems had been encrypted, it likely wouldn’t have mattered. Department of Homeland Security Assistant Secretary for Cybersecurity Dr. Andy Ozment testified that encryption would “not have helped in this case” because the attackers had gained valid user credentials to the systems that they attacked—likely through social engineering. And because of the lack of multifactor authentication on these systems, the attackers would have been able to use those credentials at will to access systems from within and potentially even from outside the network.
Oh, by the way, the email that I got from OPM contained this disclaimer; “nothing in this letter should be construed as OPM or the U.S. Government accepting liability for any of the matters covered by this letter”.
That’s how I knew it was from the government and that they were there to help me.
Needless to say, I’ll just stick with my own subscription to Lifelock, I’ve had enough of the government’s solutions for my security. Did I mention that the breech happened months ago and lasted for months? That this latest breech is like closing the barn doors after the horses already ran all the way to China.
Thanks to Bobo for the link to BI.
Category: Dumbass Bullshit
Let’s see if I’ve got this right. The systems administrator for the information “was in Argentina” and his co-worker was “physically located in People’s Republic of China”; and the attackers had gained valid user credentials to the systems that they attacked, “likely through social engineering”. Is that what they call getting laid and blackmailed these days? How f’in stupid has our government leadership become?
I think he means that the hacker person was using the creds of the system administrator from computers in China and Venezuela not that the actual government employee person was in those countries.
Well, from what I read OPM outsourced the system admin and they were physically located in China and Argentina so they were using login credentials that weren’t stolen at all.
Maybe the article was badly worded, which wouldn’t be a surprise, or OPM is horribly managed by incompetent political hacks, which also wouldn’t be a surprise.
Sorry, Venezuela
I’ll be honest; the latter sentence was how I read that article.
Jonn – I received my letter in the mail and the e-mail at work the next day. I share the same sentiments as you.
THEN, the very next e-mail I opened was from the agency IT administrator who was basically reminding all employees how important it is for us to safeguard our information and to not compromise others – as if we needed to be told that.
It’s funny how the PIN in the letter and the one I received in the e-mail are different, and neither are tied to my record. When I saw how much information they wanted on the first screen, I opted out to participate as well because I have the same suspicions as you and probably others.
BTW, did you happen to read the terms and conditions agreement (the link) at the bottom of the acceptance page? It seems the whole thing will turn out to be a time toilet – the gov’ts way of acting as if it’s doing something.
You’re wise for sticking with LifeLock.
I didn’t get a letter or an email that I know of, but I bet they have my info from when I applied for a clearance. I love the irony of the system admin being in Argentina and the coworker being in China, routinely handling PII data of folks who are required to report any contact with foreigners. Only our government could come up with something that assinine. Really makes me want to stand in line to submit fingerprints next time I buy a weapon or ammo.
I’m pretty sure the gun owner registration part would be made to work (because its important to the statists) but you’ll probably be significantly delayed in picking up your purchase, by design.
More “Hope and Change”.
Well, I do hope this all sorts itself out and that nobody loses anything.
Yes, it’s nice to know that your government has your bests interests at heart… not.
That noise you hear in the background is me laughing loud enough to wake the dead.
And yet the Republicans wanted to give this farce of an administration carte blanche to do trade deals with the very people who stole our information. God save the Republic from Democrats and Rhinos.
The is the first paragraph of the “business insider” article:
Contractors in Argentina and China were given “direct access to every row of data in every database” when they were hired by the Office of Personnel Management (OPM) to manage the personnel records of more than 14 million federal employees, a federal consultant told ArsTechnica.
Social engineering happens when there is a person who is trying to be honorable and keep a secret but they are deceived into giving up their credentials – honey traps, diversion, all of the ordinary stuff from spy novels and books about cracking IT systems.
In this case either the lead sysadmin (a contractor in Argentina) or the deputy (a contractor in China) gave credentials to a bad guy. Y’all can debate if one of both of them was deceived. I don’t care. It is weapons grade stupid to allow hire contractors for this system or ANY system even slightly like this from outside the US.
Rant on
I think that outsourcing IT to overseas companies, China, India, whatever is a bad idea and it risks our national security. It also send money out of the country that should be spent here to pay US employees. There are a crapload of US IT people who cannot find a job at a decent wage because we are competing with people who can live very well on $10k per year.
Rant off
One hundred percent in agreement with your post. I got my email the week before last.
One hundred percent in agreement with your post. I got my email the week before last. And as I said above, as much as I want to specifically blame this administration of fools, the Republicans are worse. At least the Democrats are honest about not giving a damn about this country.
This is what happens when you hire a political hack with no experience to run an agency.
Or a whole damn country, twice. This administration gives amateurs a bad name.
Complete agreement here – I have been traveling and haven’t read up on all the details yet, but I wouldn’t be surprised if the systems staff was contracted to a big government-focused IT firm,… which then subcontracted out to foreign workers, earning a pretty penny for being the middle man. I don’t want to sound naive, but I can’t imagine the government directly contracted with foreign techs to run systems with sensitive info.
Also, while social engineering is a possibility, I’d wager this was either more of a physical hack in China (keyloggers, tailored access, something), or, frankly, a direct pay off. No need to risk the social engineering approach when you can either get in and out without people knowing, or control the people with access.
Fully anticipating my “special” e-mail any day now, and somehow I’m pretty sure China is more interested in my security clearance than my savings account. On a similar note, yesterday we received a spam from the IT department warning that wireless mice and keyboards will soon be verboten, as hackers may monitor their signals.
UnFuckingBelievable.
Why would hackers bother with someone using a wireless mouse? They can just apply to the DoD, OPM or any other orifice in the federal government, get hired and have full access.
That’s the point. Everything I do at my desk is at best FOUO. For classified I have a SCIF.
I haven’t received a letter yet which is worrying in and of itself: I’m an active Fed with an active TS and how could not my stuff not been compromised??
I’m in the same boat…two of my co-workers have received the email and letter, I haven’t.
And our Comm Squadron is now saying any email you get from OPM is a phishing attempt and should be ignored.
Still wondering if I’m going to get a letter myself. It’s almost a tradition since my information was on the VA laptop that got stolen as well.
Just got me email from OPM…debating whether or not if I am going to use the credit service or not. I might look into alternatives at this time…
I’m not in the states right now, and frankly, don’t plan on coming back until a lot of shit changes.
I got my e-mail, and my wife got her snail mail letter (we work for different commands) last week.
Like USMCE8Ret said, shortly after I received an e-mail from our IA/IT folks reminding me I needed to do my online security training.
Their office is right across the hall…they heard my response.
Was the phrase “motherfucker” used at any point in time?
Regarding the push for LifeLock, does it not give you pause that Todd Davis, the CEO, had his identity stolen multiple times after posting his SSN all over the place? Where was LifeLock then?
“That’s how I knew it was from the government and that they were there to help me.” Jonn, that statement, took every thought from me and said it all. I hope nothing bad comes from this to you.
They need to stop using the word “hacked”. Nothing was hacked…they handed the keys to the environment to foreign nationals. That’s not “hacked”, that’s fucking retarded.
What got buried in the news was that DHS suffered a major cyber breach when a contractor to the TSA got hacked. Anyone who had applied for a TSA clearance got their info hacked. I got my letter last week. Haven’t gotten the OPM letter yet.
I am going to file my next FOIA with the Chinese.
I probably would get better results than going through our own government agencies.
And if you can get an English to Mandarin translator for your computer, it should be a lot easier to file VA and TRICARE claims in the future!
This kills me. The guys who caused the breach are probably the same ones who hammed their subordinates for not having their annual cyber security training completed one month before it was due.