Stories
Slash Boxes
Comments

SoylentNews is people

Breaking News
posted by takyon on Thursday June 04 2015, @10:30PM   Printer-friendly
from the nothing-personnel-kid dept.

The Office of Personnel Management has confirmed that around 4 million current and past employees have been affected by a data breach, potentially exposing personal data. Unnamed U.S. officials say that the hackers were from China.

Here is the U.S. Office of Personnel Management's statement:

The U.S. Office of Personnel Management (OPM) recently became aware of a cybersecurity incident affecting its systems and data that may have compromised the personal information of current and former Federal employees.

Within the last year, OPM has undertaken an aggressive effort to update its cybersecurity posture, adding numerous tools and capabilities to its networks. As a result, in April 2015, OPM became aware of the incident affecting its information technology (IT) systems and data that predated the adoption of these security controls.

Since the incident was identified, OPM has partnered with the U.S. Department of Homeland Security's U.S. Computer Emergency Readiness Team (US-CERT), and the Federal Bureau of Investigation to determine the impact to Federal personnel. OPM immediately implemented additional security measures to protect the sensitive information it manages.

Beginning June 8 and continuing through June 19, OPM will be sending notifications to approximately 4 million individuals whose Personally Identifiable Information was potentially compromised in this incident. The email will come from opmcio@csid.com and it will contain information regarding credit monitoring and identity theft protection services being provided to those Federal employees impacted by the data breach. In the event OPM does not have an email address for the individual on file, a standard letter will be sent via the U.S. Postal Service.

In order to mitigate the risk of fraud and identity theft, OPM is offering affected individuals credit monitoring services and identity theft insurance with CSID, a company that specializes in identity theft protection and fraud resolution. This comprehensive, 18-month membership includes credit report access, credit monitoring, identity theft insurance, and recovery services and is available immediately at no cost to affected individuals identified by OPM.

Additional information is available beginning at 8 a.m. CST on June 8, 2015 on the company's website, www.csid.com/opm, and by calling toll-free 844-222-2743 (International callers: call collect 512-327-0700).

Related Stories

Hacking of Federal Security Forms Much Worse than Originally Thought 55 comments

We had two submissions with updates concerning a US Government data breach.

A second round of hacks have been unleashed upon a vast range of already beleaguered U.S. federal government departments. The attacks again came from hackers linked to China, with the estimated figure upon personal data exposure this time running to about 14 million government employees across records dating back to the 1980s.

With each detailed personal file containing up to 780 identifying pieces of information, the breach constitutes one of the most intense computing blunders in governmental history. Though much can and has been said of the U.S. government's data collection abilities, their data protection skills clearly lack such polish.

Adam Chandler writes in The Atlantic that last week it was revealed that all of the data on Standard Form 86 — filled out by millions of current and former military and intelligence workers — is now believed to be in the hands of Chinese hackers. Form 86 requires that an applicant disclose everything from mental illnesses, financial interests, and bankruptcy issues to any brush with the law and major or minor drug and alcohol use. The application also requires a thorough listing of an applicant's family members, associates, or former roommates so hackers may have not only troves of personal data about Americans with highly sensitive jobs, but also the contacts or family members of American intelligence employees living abroad who could potentially be targeted for coercion.

At its worst, this cyberbreach also provides a basic roster of every American with a security clearance. "That makes it very hard for any of those people to function as an intelligence officer," says Joel Brenner. "The database also tells the Chinese an enormous amount of information about almost everyone with a security clearance. That's a gold mine. It helps you approach and recruit spies."

Meanwhile the number of current and former federal employees compromised has ballooned from 4 million to as many as 14 million. The scope of the breach is remarkable, experts say, because the personnel office apparently learned little from earlier government data breaches like the WikiLeaks case and the surveillance revelations by Edward J. Snowden, both of which involved unencrypted data. "This is potentially devastating from a counter­intelligence point of view," concludes Brenner.


Original Submission #1 Original Submission #2

See our story on the earlier breach.

Encryption Would Not have Protected Secret Federal Data Says DHS 22 comments

Sean Gallagher reports at Ars Technica that Dr. Andy Ozment, Assistant Secretary for Cybersecurity in the Department of Homeland Security, told members of the House Oversight and Government Reform Committee that in the case of the recent discovery of an intrusion that gave attackers access to sensitive data on millions of government employees and government contractors, encryption would "not have helped" because the attackers had gained valid user credentials to the systems that they attacked—likely through social engineering.

Ozment added that because of the lack of multifactor authentication on these systems, the attackers would have been able to use those credentials at will to access systems from within and potentially even from outside the network. "If the adversary has the credentials of a user on the network, they can access data even if it's encrypted just as the users on the network have to access data," said Ozment. "That did occur in this case. Encryption in this instance would not have protected this data."

The fact that Social Security numbers of millions of current and former federal employees were not encrypted was one of few new details emerged about the data breach and House Oversight member Stephen Lynch (D-Mass.) was the one who pulled the SSN encryption answer from the teeth of the panel where others failed. "This is one of those hearings where I think that I will know less coming out of the hearing than I did when I walked in because of the obfuscation and the dancing around we are all doing here. As a matter of fact, I wish that you were as strenuous and hardworking at keeping information out of the hands of hackers as you are in keeping information out of the hands of Congress and federal employees. It's ironic. You are doing a great job stonewalling us, but hackers, not so much."

See our earlier stories: U.S. Government Employees Hit By Massive Data Breach and Hacking of Federal Security Forms Much Worse than Originally Thought


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Informative) by MichaelDavidCrawford on Thursday June 04 2015, @10:41PM

    by MichaelDavidCrawford (2339) Subscriber Badge <mdcrawford@gmail.com> on Thursday June 04 2015, @10:41PM (#192288) Homepage Journal

    My social security number is 518-92-8663 and my California ID card is C0225719.

    Have A Nice Day!

    --
    Yes I Have No Bananas. [gofundme.com]
    • (Score: 3, Touché) by takyon on Thursday June 04 2015, @10:44PM

      by takyon (881) <reversethis-{gro ... s} {ta} {noykat}> on Thursday June 04 2015, @10:44PM (#192290) Journal

      ^ Modded parent slow clap

      --
      [SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
    • (Score: 0) by Anonymous Coward on Friday June 05 2015, @12:17AM

      by Anonymous Coward on Friday June 05 2015, @12:17AM (#192312)

      https://m.youtube.com/watch?v=PhiWc99KrLg [youtube.com]

      Baby I'm more than a little concerned you see
      About the New World Order conspiracies
      And the covert spreading of deadly disease
      They've got earthquake machines and UFO's
      And black helicopters wherever we go
      But I forget them all when you are with me
      They can telepathically read my mind I'm not scared of what
      They'll find - Let them do what they're gonna do
      Cuz if the government can read my mind
      They know I'm thinking of you

      They've got secretly funded internment camps
      And biological warfare labs
      But when you look at me they all don't seem so bad
      They've got Martian traded technology
      And mind control psychology
      I'll let them do what they wanna do
      Cuz if the government can read my mind
      They know I'm thinking of you

      I could stockpile food and join a militia
      But I'd rather stay at home and kiss ya
      Let them do what they're gonna do
      Cuz if the government can read my mind
      They know I'm thinking of you

      If the government can read my mind baby
      You know it doesn't matter what They find
      Cuz if the government can read my mind
      They know I'm thinking of you

      • (Score: 2) by Hartree on Friday June 05 2015, @12:37AM

        by Hartree (195) on Friday June 05 2015, @12:37AM (#192315)

        Breathes there the man, with soul so dead, Who never to himself hath said, "Hooray! I'm under telepathic surveillance!"

    • (Score: 2) by isostatic on Friday June 05 2015, @08:34AM

      by isostatic (365) on Friday June 05 2015, @08:34AM (#192420) Journal

      The source of this breakin was www.google-analytics.com, so you were safe.

    • (Score: 0) by Anonymous Coward on Friday June 05 2015, @01:31PM

      by Anonymous Coward on Friday June 05 2015, @01:31PM (#192512)

      My ssn is 567-68-0515

      • (Score: 0) by Anonymous Coward on Friday June 05 2015, @03:42PM

        by Anonymous Coward on Friday June 05 2015, @03:42PM (#192570)

        My ssn is 567-68-0515

        Mine is 111-11-1111. Go ahead and steal my identity!!!

  • (Score: 1, Touché) by Anonymous Coward on Thursday June 04 2015, @10:47PM

    by Anonymous Coward on Thursday June 04 2015, @10:47PM (#192293)

    Looks like SN is getting faster with breaking news stories
    Nice work editors :)

    • (Score: 2) by isostatic on Friday June 05 2015, @08:35AM

      by isostatic (365) on Friday June 05 2015, @08:35AM (#192421) Journal

      Still not fast enough, should have been a day earlier.

      • (Score: 1, Funny) by Anonymous Coward on Friday June 05 2015, @12:07PM

        by Anonymous Coward on Friday June 05 2015, @12:07PM (#192468)

        Fuck that. I demand a month earlier!

  • (Score: 0, Disagree) by Anonymous Coward on Friday June 05 2015, @12:32AM

    by Anonymous Coward on Friday June 05 2015, @12:32AM (#192314)

    Breaking news implies that Soylent News is an original source of the news, that Soylent news is breaking the news. Simply copying it from another source and calling it breaking news is taking credit where none is deserved.

    • (Score: 3, Funny) by GungnirSniper on Friday June 05 2015, @12:42AM

      by GungnirSniper (1671) on Friday June 05 2015, @12:42AM (#192316) Journal

      Would you prefer a SOYLENT NEWS ALERT sweeper with a seizure-inducing animation and serious, urgent music, followed by a newscaster with too-perfect-hair reading the same text to you from a teleprompter?

    • (Score: 2) by c0lo on Friday June 05 2015, @12:59AM

      by c0lo (156) Subscriber Badge on Friday June 05 2015, @12:59AM (#192321) Journal
      Alert! We have a "Pedantic of the day" award.
      --
      https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
      • (Score: 2) by bootsy on Friday June 05 2015, @09:24AM

        by bootsy (3440) on Friday June 05 2015, @09:24AM (#192433)

        You mean "Pedant of the day". Oh, err yes well. I knew what you meant....

    • (Score: 2, Insightful) by DaTrueDave on Friday June 05 2015, @01:43AM

      by DaTrueDave (3144) on Friday June 05 2015, @01:43AM (#192335)

      No it doesn't. Breaking news means that the story is still developing. As we don't know anything about the breach, or the breachers, or what else may have been breached, it's certainly a developing story. It probably won't develop as much as we'd like the story to, but the story is definitely not complete.

    • (Score: 2) by takyon on Friday June 05 2015, @02:28AM

      by takyon (881) <reversethis-{gro ... s} {ta} {noykat}> on Friday June 05 2015, @02:28AM (#192345) Journal

      That is the dumbest shit I've heard today.

      EXCLUSIVE is the word you're looking for.

      --
      [SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
    • (Score: 1) by sudo rm -rf Slashdot on Friday June 05 2015, @04:39PM

      by sudo rm -rf Slashdot (5424) on Friday June 05 2015, @04:39PM (#192583)

      You may think that is the case, but I, utilizing my brain, deduced that Soylent News received the information from the links provided within TFA.

  • (Score: 0) by Anonymous Coward on Friday June 05 2015, @02:01AM

    by Anonymous Coward on Friday June 05 2015, @02:01AM (#192341)

    Would guess that opm would, and the Chinese pre-established their attack on those fireeye boxes?

  • (Score: 0) by Anonymous Coward on Friday June 05 2015, @02:46AM

    by Anonymous Coward on Friday June 05 2015, @02:46AM (#192348)

    CSID's campaign contributions are paying off nicely.

  • (Score: 1, Insightful) by Anonymous Coward on Friday June 05 2015, @03:13AM

    by Anonymous Coward on Friday June 05 2015, @03:13AM (#192355)

    How much of that 10 billion dollar yearly budget [washingtonpost.com] would it have taken to actually shore up national security rather than peep on everybody?

    Once again, when it comes to computer security a good offense is the shittiest defense. Every vulnerability you leave unreported and unfixed so as to more easily penetrate the enemy's systems is a vulnerability the enemy can use to penetrate your systems.

    • (Score: 1) by arulatas on Friday June 05 2015, @03:38PM

      by arulatas (3600) on Friday June 05 2015, @03:38PM (#192568)

      It is easier for them to break something than to fix it.

      --
      ----- 10 turns around
  • (Score: 0) by Anonymous Coward on Friday June 05 2015, @09:38AM

    by Anonymous Coward on Friday June 05 2015, @09:38AM (#192434)

    Hey there, Big Bro! (Looking at YOU, General Clapper!)

    Maybe if you spent less resources of sniffing for koran verses in my daughter's twitter feeds and payed attention one of your chartered fucking MISSIONS this wouldn't have happened.

  • (Score: 2) by cyrano on Friday June 05 2015, @12:37PM

    by cyrano (1034) on Friday June 05 2015, @12:37PM (#192476) Homepage

    "The email will come from opmcio@csid.com..."

    Is that a kind of an invitation to start phishing?

    Seems like good business too. Find a hole, get payed. Find an intrusion, sell insurance. Follow up problem, bill the government... Endless possibilities.

    --
    The quieter you become, the more you are able to hear. - Kali [kali.org]
    • (Score: 2) by takyon on Friday June 05 2015, @01:07PM

      by takyon (881) <reversethis-{gro ... s} {ta} {noykat}> on Friday June 05 2015, @01:07PM (#192493) Journal

      If I read the statement right, only employees that had their email compromised (on file) will get the identity theft service email.

      A disaster on top of a disaster.

      --
      [SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
      • (Score: 2) by TK on Friday June 05 2015, @02:26PM

        by TK (2760) on Friday June 05 2015, @02:26PM (#192545)

        There's got to be a list of .gov email addresses floating around somewhere. Hell, it may even be publicly available on one of the .gov sites.

        This really does seem like the perfect setup for a phishing email.

        wARMING! yOUR aCCOUNT mAY bE cOMPROMISED

        In accord with government mandate. You are entitled to free credit monitor service. PLease following link below to sign up for free service. Provide credit card number for proof of identity.

        --
        The fleas have smaller fleas, upon their backs to bite them, and those fleas have lesser fleas, and so ad infinitum