Over a decade ago, I pointed out that every single time there were reports of big “data leaks” via hacking, a few weeks after the initial report, we would find out that the leak was even worse than originally reported. That maxim has held true over and over again. And, here we go again. Last week, we noted that the US government’s Office of Personnel Management had been hacked, likely by Chinese hackers. And, now, it has come out that the hack was (you guessed it) much worse than originally reported.
The President of the union that represents federal government workers, the American Federation of Government Employees (AFGE) sent a letter to the director of the OPM, claiming that the hackers got away with the Central Personnel Data File, which includes full information on just about everything about that employee — including (get this) unencrypted social security numbers.
Based on the sketchy information OPM has provided, we believe that the Central Personnel Data File was the targeted database, and that the hackers are now in possession of all personnel data for every federal employee, ever federal retiree, and up to one million former federal employees. We believe that hackers have every affected person’s Social Security number(s), military records and veterans’ status information, address, birth date, job and pay history, health insurance, life insurance, and pension information; age, gender, race, union status, and more.
Oh, and then there’s this:
Worst, we believe that Social Security numbers were not encrypted, a cybersecurity failure that is absolutely indefensible and outrageous.
The letter further points out — as we did last week — that the 18 months of credit monitoring the government has offered everyone is a complete joke. It’s unlikely that the hackers are looking to do identity fraud for financial gain — and quite likely this is for espionage purposes.
But, let’s go back to the Social Security numbers being unencrypted for a second. Remember, this hack is already being used by intelligence system defenders to argue for why we need stronger “cybersecurity” laws that will give the NSA and FBI much greater access to Americans’ data.
Both of these organizations strongly support “cybersecurity” legislation, claiming that it’s necessary so that the US government can “help” companies dealing with “critical infrastructure.” And yet, here we are, with the government’s own personnel files being held in a system without encryption that was hacked and copied by (likely) foreign hackers. And we’re supposed to trust two government agencies who have been going around cursing encryption, that we should give them more access to “protect us” when another government agency’s attack likely could have been prevented if they’d just used encryption?
As plenty of cybersecurity experts will tell you, the problem in the security realm is not “information sharing.” It’s people doing stupid things in how they setup their systems. Not encrypting the employee files for every government employee seems to fit into that category. Perhaps, rather than focusing on bogus “cybersecurity” legislation to give more power to the idiots shouting against encryption, we should have the government focus on getting its own house in order, including encrypting employee data.