by Robert Cringely, published July 30, 2015
While the U.S. Government has been remarkably opaque about the recently discovered security breach at the Office of Personnel Management (OPM), we know that personal information on at least 21.5 million present, former, and prospective federal employees was lost. The Feds claim Chinese hackers are at the bottom of it, which is disputed by the Chinese government. This, to me, raises a number of questions, especially about the possible role of IT outsourcing firms and implications for organizations beyond OPM. Does IT outsourcing make your data more vulnerable? Yes, I believe it does.
It’s easy to blame the Office of Personnel Management for its own troubles. Oversight was lax. The agency failed a security audit and didn’t seem to do much in response. When shit hit the fan and it became clear that the identity of almost every living person associated in any way with Federal employment had been compromised, the agency lamely offered 18 months of identity theft screening but then didn’t have the money to pay for it. Pathetic. Both the Obama Administration and Congress are to blame, the former for mismanagement and the latter for “starving the beast” by limiting the OPM budget, pushing the agency toward cost-saving decisions that at least to some extent led to the current crisis.
And a crisis it is. The scope of this hack is mind-boggling. There are 4.5 million Federal employees yet the identities of at least 21.5 million people are involved. How can that be? Well just to give one example, every person with a federal security clearance has to file annually (this seems to vary from agency to agency — see comments below) a 120-page Standard Form 86 updating information about their every social and business contact. All of those Standard Form 86s — millions of them — were stolen. Given that we live in a world of Big Data and six degrees of separation, it’s logical to assume that with some effort nearly every U.S. adult has been compromised in some way by this theft, whether or not you know that Uncle Jim used to be a courier for the CIA.
This is way worse than Target or Home Depot, yet those stories lingered in the press for months while OPM seems already to have disappeared.