How many forum members have been affected by these data breaches?

[Londo_Jowo]

This is unbelievable. You would think that the government would have this data locked down.

Union: Hackers have personnel data on every federal employee

"We believe that the Central Personnel Data File was the targeted database, and that the hackers are now in possession of all personnel data for every federal employee, every federal retiree, and up to one million former federal employees."

 

[Mursilis]

This is unbelievable. You would think that the government would have this data locked down.

You clearly have little to no experience with bureaucratic organizations then.

 

[Londo_Jowo]

You clearly have little to no experience with bureaucratic organizations then.

I was in the US Navy for 12 years and I know the lengths the Navy went to to ensure sensitive data was protected. Seems like the US government would have gone to great lengths to protect the personal data of those who work/have work for them.

 

[PokerGuy]

This is government we're talking about. If private corps get hacked regularly, you can bet the government systems are even less well managed. As a bonus for crooks, they contain more sensitive information than most private databases. When Target gets hacked, the crooks get your name, address, and maybe credit card info. With this hack, the crooks got personnel data, SS numbers, medical records, maybe even information about clearance levels and such. Yikes.

 

[postmortemIA]

The answer is simple: gov't has hard time hiring top talent, because of its well known incompetence. Even if you work there, you can't make much difference due to bureaucracy and again, incompetence of your superiors

 

[Londo_Jowo]

Looks like the malware used for the hack had been on the system for as much as a year.

http://arstechnica.com/security/201...-employee-records-discovered-by-product-demo/

 

[Brainonska511]

The answer is simple: gov't has hard time hiring top talent, because of its well known incompetence. Even if you work there, you can't make much difference due to bureaucracy and again, incompetence of your superiors

I wouldn't say that it is just the bureaucracy that stands in the way. The government has a problem just obtaining new systems. Congress never allocates enough money for IT systems, both for hiring competent people and for upgrading old, out-dated equipment.

 

[rudeguy]

Not this one.

I got hit hard by Chase's data breach. It was about as worst case scenario as it could possibly be. Not only did the hackers get my account info, they also got a ton of my personal info. They have enough of my info that I had to shut down the ability to make ANY changes to my account unless I physically go into a branch. Need to order checks? Gotta go in. Need to change the payee on online bill pay? Gotta go in. Its a huge pain in the ass.

 

[Bowfinger]

This is government we're talking about. If private corps get hacked regularly, you can bet the government systems are even less well managed.

That's a useless assertion based solely on partisan ideology, not reality. All IT organizations, public and private, struggle with security. It's an endlessly escalating arms race between the black hats whose whole "business" is penetrating systems and their targets for whom IT security is expensive -- but necessary -- overhead. The black hats have greater expertise and a much, much easier job. While the victims' IT security must be perfect across thousands of devices, the crooks need find only a single hole.

Realistically, it's a battle companies cannot win. The IT security profession has slowly come to recognize this, and is changing tactics. While preventing intrusion is still a high priority, there is now an assumption that some will get in anyway. Consequently, there is increasing focus on how to keep intruders contained once they breach the perimeter. This includes measures like internal firewalls, internal data encryption, special secure network "cages" for database servers with sensitive data, and aggressive patching and tight security on internal servers that used to be lower priority because they had no direct external access.

Unfortunately, this is all expensive. Companies face a challenging balance between those very real costs versus the potential costs of a breach.

As a bonus for crooks, they contain more sensitive information than most private databases. When Target gets hacked, the crooks get your name, address, and maybe credit card info. With this hack, the crooks got personnel data, SS numbers, medical records, maybe even information about clearance levels and such. Yikes.

Ever hear of the Sony breach? They also had their personnel database breached. So have a lot of other companies that receive less publicity because there are NOT millions of affected customers. Companies have a legal obligation to report breaches that expose customer data. They often do not if it's only internal information.


All that said, this was a huge breach. I agree Uncle Sam failed to secure this data properly, and that government HR data is potentially more sensitive than private sector HR. I challenge the knee-jerk partisan notion that everything about the business of government is inherently inferior to the private sector. It's a great talking point for the flock, but in my experience such broad generalizations are a mark of ignorance. Neither government nor private businesses are homogeneous. I've seen sections in both that are exceptionally well managed; I've seen other areas that are horribly mismanaged train wrecks. Reality rarely matches simple-minded stereotypes.

 

[hal2kilo]

This is unbelievable. You would think that the government would have this data locked down.

Already been run over by Athem and Blue Cross Blue Shield trains. NOTHING IS SECURE!

 

[cabri]

A big problem is that the government agencies seem to think that because they are the UNITED STATES GOVERNMENT that they are immune to being targeted.

The weight of the USA will be behind any retaliation/punishment.
Ignoring that the USA only can impose such a will within our country.

 

[fskimospy]

Looks like the Senate might want to go and pass that cybersecurity bill.

 

[unokitty]

OPM Hackers Stole Data on Every Federal Employee

In a letter sent to OPM director Katherine Archuleta and obtained by National Journal, American Federation of Government Employees President J. David Cox wrote that the hackers stole Social Security numbers, birthdays, addresses, military records, job and pay histories, and various insurance information, in addition to age, gender, and race data.

"Based on the sketchy data OPM has provided, we believe that the Central Personnel Data File was the targeted database, and that the hackers are now in possession of all personnel data for every federal employee, every federal retiree...

Billions of dollars for TSA's security theater.

Billions of dollars to gather meta data on every phone call that you and I make.

Its just a matter of priorities isn't it?

Uno

 

[rudeguy]

I really want to jump on the "the government sucks" bandwagon here, but the reality is this is serious shit.

Why aren't we contracting out security of all sensitive (national security and personal security) system to highly qualified companies? Can the government honestly offer anything close to what a private company could? Wouldn't this also solve data compliance issues?

Why have the government spend tens of billions (maybe more?) when we could hire a private company to do it better, cheaper?

I'm asking questions here. Not slamming any decision previously made. I'm just thinking its time to make thing bullet proof.

 

[fskimospy]

I really want to jump on the "the government sucks" bandwagon here, but the reality is this is serious shit.

Why aren't we contracting out security of all sensitive (national security and personal security) system to highly qualified companies? Can the government honestly offer anything close to what a private company could? Wouldn't this also solve data compliance issues?

Why have the government spend tens of billions (maybe more?) when we could hire a private company to do it better, cheaper?

I'm asking questions here. Not slamming any decision previously made. I'm just thinking its time to make thing bullet proof.

I'm pretty sure they already do that.

 

[Londo_Jowo]

Why have the government spend tens of billions (maybe more?) when we could hire a private company to do it better, cheaper?

I think this may be part of the problem as something that is cheaper doesn't always make it better. It sounds like they were getting a demo of software that would make the system more secure when the malware was discovered.

 

[TheSlamma]

This is unbelievable. You would think that the government would have this data locked down.

Who would think that? People who watch too many movies and actually think the government has their act together?

Most gov employees are there cause they can't make it in the private sector.

 

[Bowfinger]

Who would think that? People who watch too many movies and actually think the government has their act together?

Most gov employees are there cause they can't make it in the private sector.

^ See what I mean?

 

[PokerGuy]

That's a useless assertion based solely on partisan ideology, not reality.

Not reality? And you know this.... how? Competition creates an incentive for efficiency and improvement. Government agencies have no competition, and "customers" have no other option than to deal with them so they have much less of an incentive to improve and become more efficient. Have you been to a DMV office lately? I figured you or eskimo would come to the 'rescue' and defend the highly efficient and customer friendly government

All IT organizations, public and private, struggle with security. It's an endlessly escalating arms race between the black hats whose whole "business" is penetrating systems and their targets for whom IT security is expensive -- but necessary -- overhead. The black hats have greater expertise and a much, much easier job. While the victims' IT security must be perfect across thousands of devices, the crooks need find only a single hole.

Realistically, it's a battle companies cannot win. The IT security profession has slowly come to recognize this, and is changing tactics. While preventing intrusion is still a high priority, there is now an assumption that some will get in anyway. Consequently, there is increasing focus on how to keep intruders contained once they breach the perimeter. This includes measures like internal firewalls, internal data encryption, special secure network "cages" for database servers with sensitive data, and aggressive patching and tight security on internal servers that used to be lower priority because they had no direct external access.

Unfortunately, this is all expensive. Companies face a challenging balance between those very real costs versus the potential costs of a breach.

I agree with that assessment.

Ever hear of the Sony breach? They also had their personnel database breached. So have a lot of other companies that receive less publicity because there are NOT millions of affected customers. Companies have a legal obligation to report breaches that expose customer data. They often do not if it's only internal information.

We're talking about scale here and what information is likely to get compromised. Customers who just do business with a retailer (for example) are not likely to have their private info stolen, other than name, phone, credit cards etc, because the retailer doesn't have it. Obviously internal records on employees can also be stolen, but that doesn't impact the customers. When private info like SS number gets stolen, it's much worse, that's when the trouble really begins (ask rudeguy!). Obviously this can happen with private companies as well (like a bank, or insurance company etc). No private employer has 4+ million employees, this is really about scale.

I challenge the knee-jerk partisan notion that everything about the business of government is inherently inferior to the private sector.

I didn't say "everything". In general though that's not a "knee-jerk" reaction, we've known that to be the case long before this breach.

Neither government nor private businesses are homogeneous. I've seen sections in both that are exceptionally well managed; I've seen other areas that are horribly mismanaged train wrecks. Reality rarely matches simple-minded stereotypes.

Which organizations are under competitive pressure to constantly get better, more efficient and make more money? Which ones are under no competitive pressure whatsoever? That pretty much tells you all you need to know. Of course there are outliers and examples of where the expectations don't match reality, but any rational person would realize by default the lack of competition makes for lower efficiency and lower drive to improve. The same thing happens to private companies that become monopolies -- it's not a private / public thing, it's competition or lack of it.

Anyone who's ever been forced to deal with an organization (public or private) where the customers have no option to use switch to a competitor knows how horrible their experience in general is. You think it's an accident that ISP's are consistently ranked as the worst companies to deal with? Of course not, it's because in most places customers have very limited options so the ISP isn't really focused on the customer experience.

 

[Brainonska511]

Most gov employees are there cause they can't make it in the private sector.

Maybe some government employees are there because they can't make the private sector, but that's a rather moronic argument to make. Plenty of highly skilled people work for the government that could work in the private sector - people in OMB, the FDA, the NIH, the USPTO...

Not reality? And you know this.... how? Competition creates an incentive for efficiency and improvement. Government agencies have no competition, and "customers" have no other option than to deal with them so they have much less of an incentive to improve and become more efficient. Have you been to a DMV office lately? I figured you or eskimo would come to the 'rescue' and defend the highly efficient and customer friendly government

The DMV lately has actually been pretty good. NYS allows you to make many changes online - with one login, I can pay my estimated taxes, change my DL's address, update other relevant DMV info, etc...

 

[rudeguy]

I'm pretty sure they already do that.

http://arstechnica.com/security/201...overnment-hack-ever-got-past-opm-dhs-and-nsa/

Doesn't sound like it.

It also sounds like security is not taken seriously at all.

 

[unokitty]

I was in the US Navy for 12 years and I know the lengths the Navy went to to ensure sensitive data was protected. Seems like the US government would have gone to great lengths to protect the personal data of those who work/have work for them.

The John Walker Spy Ring and The U.S. Navy’s Biggest Betrayal

To hear the United States’ most notorious naval spy tell it, were it not for his ex-wife, Barbara – the weak link his Soviet handlers had warned him about – his espionage might have continued. As it was, however, John Walker’s ferreting went on far too long.... Indeed, he already enjoyed a U.S. Navy pension after retiring in 1976 as a senior warrant officer.

The Navy, in which John Walker served for 20 years, was enormously damaged by his espionage. Secretary of Defense Caspar Weinberger concluded that the Soviet Union made significant gains in naval warfare that were attributable to Walker’s spying. His espionage provided Moscow “access to weapons and sensor data and naval tactics, terrorist threats, and surface, submarine, and airborne training, readiness and tactics,” according to Weinberger.

ArsTechnica

Walker’s Cold War spying for the Soviets started in 1967, when he was selling information about US Navy communications systems and the encryption codes used to configure Navy communications gear for secure transmissions over the Fleet Broadcasting System. The information he provided, some claim, led directly to the North Korean seizure of the US Navy intelligence collection ship USS Pueblo, as the Soviets apparently spurred the attack to gain access to the hardware used with the material Walker provided just a month earlier.

Back then, crypto codes were printed on cards or sheets of paper. There were single-use pads for transmitting encoded voice communications in the clear over unencrypted circuits, and cards used to configure the switches on crypto gear in the radio room. It was this second category of materials, which had the printed cryptographic keys used with the KW-7 Orestes teletype encryption system, that Walker sold in bulk to the Russians—first by stealing them himself, and then by enlisting family members. The cards initially gave the directions for how to manually configure the “plugboard” in the KW-7, until the Navy moved to a punched card reader in 1977 to configure the daily codes.

As a result, the Soviets were able to record encrypted radio broadcasts from the fleet, and then attempt to match them up after the fact with the crypto keys provided by Walker. It didn’t give them immediate real-time insight into fleet operations, but it did give them access after the fact to millions of Top Secret-classified messages over the years. It included “access to weapons and sensor data and naval tactics, terrorist threats, and surface, submarine, and airborne training, readiness and tactics," Defense Secretary Caspar Weinberger had said. That data, Weinberger claimed, helped the Soviet Union make huge leaps forward in the development of their own navy.

It’s hard to calculate the total damage done by Walker. The data he provided could have contributed to Vietnam wartime deaths; it most certainly escalated the conventional arms race between the Soviet Union and the United States over the last two decades of the Cold War. And it could have led to the exposure of US intelligence assets around the world....

While I appreciate your posts, I can't forget that the US Navy's John Walker was selling crypto codes to the Russians for almost 20 years. And, likely wouldn't have been caught had his wife not turned him in...

Then again, perhaps you served after Mr. Walker retired from the US Navy...

Uno

 

[Mursilis]

I was in the US Navy for 12 years and I know the lengths the Navy went to to ensure sensitive data was protected. Seems like the US government would have gone to great lengths to protect the personal data of those who work/have work for them.

Then you, as a veteran, of all people should know how common this sort of thing is. The VA has had several very public data breach scandals, including one a few years back which involved several million veterans having their personal data stolen.

 

[fskimospy]

http://arstechnica.com/security/201...overnment-hack-ever-got-past-opm-dhs-and-nsa/

Doesn't sound like it.

It also sounds like security is not taken seriously at all.

My guess (and it's just a guess) is that a lot of the systems are designed and implemented by outside security contractors and the agencies themselves have some staff to keep them running, etc.

 

[Mursilis]

Competition creates an incentive for efficiency and improvement.

Ideally, yes, but in reality, it also creates a strong incentive to circumvent the rules of the competitive event itself. Wall Street has certainly taught us that.