Some of the contractors that have helped OPM with managing internal data have had security issues of their own—including potentially giving foreign governments direct access to data long before the recent reported breaches. A consultant who did some work with a company contracted by OPM to manage personnel records for a number of agencies told Ars that he found the Unix systems administrator for the project “was in Argentina and his co-worker was physically located in the [People’s Republic of China]. Both had direct access to every row of data in every database: they were root. Another team that worked with these databases had at its head two team members with PRC passports. I know that because I challenged them personally and revoked their privileges. From my perspective, OPM compromised this information more than three years ago and my take on the current breach is ‘so what’s new?'”
Did OPM … not understand that it was an attractive target for hackers? That’s hard to believe, as the director told Congress two days ago that they deal with 10 million hacking attempts per month. But it’s easy to square with their behavior. They’re the biggest treasure trove of personal information on U.S. federal workers in the world, and yet giving root access to contractors working in China evidently sounded no alarms. That’s the thing about this hacking episode — although the feds are being cagey with details for understandable reasons, you don’t get the sense from what we know that it was some sort of groundbreaking advance in hackery by China, the cyberespionage equivalent of Stuxnet. The distinct impression you get is that it was likely much easier for them than thought.
But wait. It gets worse:
Over the last nine days, the the Office of Personnel Management has sent e-mail notices to hundreds of thousands of federal employees to notify them of the breach and recommend that they click on a link to a private contractor’s Web site to sign up for credit monitoring and other protections.
But those e-mails have been met with increasing alarm by employees — along with retirees and former employees with personal data at risk — who worry that the communications may be a form of “spear phishing” used by adversaries to penetrate sensitive government computer systems.
After the Defense Department raised a red flag about the e-mails its 750,000 civilian employees were starting to receive, OPM officials said late Wednesday that the government had suspended its electronic notifications this week.
Sending an e-mail with a mysterious link in it that purports to be from a trusted entity is precisely the sort of thing experts are worried that China will do to American employees whose computers they want to access. People whose data was stolen have been reading about the breach this week and how easy this’ll make it for Chinese spies to send official-looking phony e-mails to their personal accounts as a way to bait them into clicking over to a page with malware — and now, lo and behold, here’s our moronic government sending exactly that type of e-mail to jittery Americans. Again: Complete confidence.
It’s not just civilian employees who were exposed either. Defense is increasingly worried that a separate hack compromised the SF-86 biographical info of hundreds of thousands of service members. Does that include Special Forces, whose identities are guarded precisely because they’re more likely to be targeted by enemy powers? Unclear so far.