Hack of OPM May Affect Every Government Worker
China-based hackers may be building dossiers to blackmail or bribe federal workers.
The recent China-based hack of government data has compromised more information than was originally suspected, the head of a federal employees' union says.
The head of one of the largest federal workers unions says a China-based hack of federal government data was far broader than has been publicly revealed, fueling speculation that the sensitive personal and financial information was stolen to help determine which U.S. government workers might be amenable to spying.
The breach of the Office of Personnel Management networks announced last week compromised the personal information
of many more than the original estimate of 4 million current and former government workers,
according to J. David Cox, president of the American Federation of Government Employees. Cox wrote a letter to
the OPM on behalf of his union, which represents 670,000 federal employees in
the executive branch, in which he criticized the department for withholding
information about the scope of the breach.
“Based on the sketchy information OPM has provided, we believe that the Central Personnel Data File was the targeted database, and that the hackers are now in possession of all personnel data for every federal employee, every federal retiree, and up to one million former federal employees,” he said in the letter.
Another union of federal workers also wants more information on the breach from the OPM but is skeptical that the hack affected every government employee. The National Active and Retired Federal Employees Association told the Associated Press "at this point, we believe AFGE's assessment of the breach is overstated."
The compromised accounts include data on salary history, insurance records, job history and the Social Security numbers that would enable hackers to access even more information, he wrote in the letter. Cox criticized as “indefensible and outrageous” the notion that the Social Security numbers on the government network were not encrypted, and he added that the department should compensate victims with free lifetime credit monitoring and liability insurance.
The OPM is boosting its use of encryption in the wake of the breach, but its spokesman, Samuel Schumach, told the AP "today's adversaries are sophisticated enough that encryption alone does not guarantee protection."
The Associated Press late Friday also reported that a second data breach affected employees with security clearances, including officials of the CIA, National Security Agency and military special operations personnel. The data was stolen from digital copies of the Standard Form 86 questionnaires used to conduct background checks for those positions, where applicants include personal information about mental illnesses, drug and alcohol use, arrest records and bankruptcies, according to reports.
That sort of information about financial and personal history would be “invaluable” for a spy agency to develop profiles on federal workers to determine who could be bribed or blackmailed into stealing sensitive information about U.S. agencies, says Bob Baer, a former CIA case officer. Federal investigators have traced the hack to China, but it is unclear whether the Communist government is involved.
“Once you get their Social Security number, that leads you into credit reports to find who is in financial trouble, and then you go to them and say ‘I can solve your problems if you become a consultant for me,’” Baer says.
The Obama administration has criticized China and Russia for sponsoring attacks on U.S. networks to steal trade secrets to benefit their own businesses. Despite the U.S. indictment last year of five Chinese military members for hacking and economic espionage offenses, both China and Russia typically refuse to extradite suspected hackers.
Several other U.S. government networks have been breached during the past year – including those belonging to the White House, so Chinese hackers could be “building a Facebook for human targeting” to help spies corrupt federal workers, says Adam Meyers, vice president of intelligence with cybersecurity firm CrowdStrike.
“Where you might see this manifesting itself next could be breaches to find who owns real estate in certain places,” Meyers says. “What kinds of mortgages do they have? What do they put on their taxes? What it comes down to is they want to find a way to motivate someone – like money, ideology or embarrassing information.”
The breach is increasing pressure on Congress and the White House to boost cybersecurity of its networks. Nevertheless, the Senate on Thursday rejected the Cybersecurity Information Sharing Act, which would offer legal protections to companies and enable them to share with the government more information about threats to their networks. The bill has generated controversy among privacy advocates and opposition from numerous Democrats for its potential to enable the expansion of government surveillance, or giving companies too much legal protection for failing to protect consumer privacy or to act on hacker threat data.
The White House responded to the breach on Monday by announcing that all publicly accessible federal government websites must encrypt traffic using a secure HTTPS connection by Dec. 31, 2016.
The OPM network could have been compromised up to a year before the breach was first detected by the government, which Meyers says shows the need for agencies to seek patterns earlier that can show when a hacker first accesses a network. The cybersecurity system known as EINSTEIN monitors network activity, like large downloads, but spending more time monitoring strange activity from accounts could show when hackers first steal passwords and data, he explains.
“If activity is encrypted and if data exfiltration occurs over time as a slow
drip instead of a huge burst, it is difficult to spot,” he says.
