Recently, the federal government’s HR office (a.k.a the Office of Personnel Management or OPM) disclosed that it was hacked and that the private information of more than 4 million current and former federal workers was exposed. The admission was shocking, but surprising, as the OPM had not taken serious recommendations to prevent being hacked.
A matter of a few weeks later, it is worse than was originally admitted. Officials have acknowledged another intrusion dating back to last June that exposed millions of security clearance background check files for the military and intelligence community, as well as government contractors. So the two data breaches collectively exposed more than four times as many people than what OPM originally disclosed.
An estimated 18 million current, former, and prospective federal employees reportedly are affected, a number OPM appears to be trying to avoid claiming. What this means is that, if you’ve ever applied for a job with the federal government online – even if your resume fell into the dark of abyss of resumes for government jobs – your identity may be at risk.
This reportedly came to light from the FBI director during a closed-door briefing with senators and was based on upon OPM’s internal data. While OPM continues to stick by the 4 million estimate, the reported FBI numbers appear to be much more serious.
Of course the other big question is: how did this happen? At least in part, OPM appears to have failed to meet security standards for how it collected and stored the data it compiled. There are also theories that a data breach of an OPM contractor may have set the stage for this daring hack. Comparing it to stealing the keys to the kingdom, experts think the breaches were connected. Not surprisingly, OPM is denying this theory, as well saying their hack pre-dates the breach of their contractor. In either case, does OPM even have a leg to stand on?
The same hackers who accessed OPM's data are believed to have last year breached an OPM contractor, KeyPoint Government Solutions, U.S. officials said. When the OPM breach was discovered in April, investigators found that KeyPoint security credentials were used to breach the OPM system.
Some investigators believe that after that intrusion last year, OPM officials should have blocked all access from KeyPoint, and that doing so could have prevented more serious damage. But a person briefed on the investigation says OPM officials don't believe such a move would have made a difference. That's because the OPM breach is believed to have pre-dated the KeyPoint breach. Hackers are also believed to have built their own backdoor access to the OPM system, armed with high-level system administrator access to the system. One official called it the "keys to the kingdom." KeyPoint did not respond to CNN's request for comment.
The actual number of people affected is expected to grow, in part because hackers accessed a database storing government forms used for security clearances, known as SF86 questionnaires, which contain the private information of multiple family members and associates for each government official affected, these officials said.
OPM officials are facing multiple congressional hearings this week on the hack and their response to it. There's growing frustration among lawmakers and government employees that the Obama administration's response has minimized the severity of breach.
Not only has OPM been defiant, but – taking a page from sister agency the IRS which also collects massive private information about Americans – OPM appears to have been dodging Congress and producing more slowly that it should be doing.
The quote of the week came from Rep. Stephen Lynch, D-Mass., at a hearing about the breaches when he told the OPM head "I wish that you were as strenuous and hardworking at keeping information out of the hands of hacker as are at keeping information out of the hands of Congress."
It almost feels like another day, another data breach, another defiant federal agency. Data breaches of course are not confined to the federal government. We’ve lost track of the number of breaches at our favorite retailers and restaurants. It’s nothing to shrug our shoulders at, but let’s note the difference in how the private sector responds compared to government agencies.
In the private sector, your reputation is your business. In a free market that provides consumers with many options: they will opt for your competitor if your business practices are harmful or they feel mistreated. Thus, companies disclose breaches, provide help and identity theft protections for victims, and work to ensure that such instances don’t occur again.
On the contrary, government agencies dodge questions, hide the truth, and whine that they don’t have enough money. Their agency reputation means little when federal employees know their job security is firm. These data breaches are exposing more than just weaknesses in federal agency systems, but a mentality of defiance and arrogance. Unfortunately, replacing the head of OPM does not get to the systemic cancer that endemic among federal agencies.