• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

This OPM data breach is bad, real BAD!!!

Page 3 - Seeking answers? Join the AnandTech community: where nearly half-a-million members share solutions and discuss the latest tech.
steppinthrax said:
It's not.

But I suspect the vector is online. Back in 2007 the Gov switched the SF-86 to a online site called eqip.

https://www.opm.gov/investigations/e-qip-application/

As you can see the site is down for security enhancements!!!!!

My suspicion is some sort of hack traversal through this system to the repository!!!
Click to expand...

lol down for security enhancements!

I guess my point is why does it need to be attainable online in some shape or form? I can see why you'd want law enforcement data like that, but to house employee data is just asking for it.
 
steppinthrax said:
It's not.

But I suspect the vector is online. Back in 2007 the Gov switched the SF-86 to a online site called eqip.

https://www.opm.gov/investigations/e-qip-application/

As you can see the site is down for security enhancements!!!!!

My suspicion is some sort of hack traversal through this system to the repository!!!
Click to expand...

The horse has fled the barn! Let's lock the door!

My fraud protection for the SC breach has expired. So 3 more years for free!...Hip hip hooray 🙁



.
 
paperfist said:
lol down for security enhancements!

I guess my point is why does it need to be attainable online in some shape or form? I can see why you'd want law enforcement data like that, but to house employee data is just asking for it.
Click to expand...

It's for the investigators. They don't send someone from the OPM central offices to you for an interview. They have a network of local investigators and they all use that system. It's also for submissions and revisions by the applying member.

Unfortunately for me, the Chinese now know everything about me all the way back to 2003.
 
Are military clearances involved with this? I've heard that they could be, but the OPM doesn't acknowledge that at all.
 
With this latest release, yes, military is affected. We already got word at my unit. Pretty much every SF86 ever submitted to eQIP has been stolen.
 
repoman0 said:
https://www.opm.gov/cybersecurity/

The answer is "highly likely" yes, it does affect you. It appears to go all the way back to 2000.

So according to that site, OPM will be providing ID theft services to 20 million people, who will all apparently be notified with details in the mail in the next few weeks ....
Click to expand...

Here's what is counter-intuitive about the ID theft services though. It requires you to submit all the same information basically that just got stolen, which is a bit unnerving.

So, I just had all my private info stolen (dates of birth for all of my family members, financial accounts, etc.) and in order to protect myself I'm expected to give all that same information to someone else in order to protect myself.
 
MarkXIX said:
Here's what is counter-intuitive about the ID theft services though. It requires you to submit all the same information basically that just got stolen, which is a bit unnerving.

So, I just had all my private info stolen (dates of birth for all of my family members, financial accounts, etc.) and in order to protect myself I'm expected to give all that same information to someone else in order to protect myself.
Click to expand...

Yep we could not keep it secure the first time so please give it to us again.

"We take security very seriously"


...
 
paperfist said:
lol down for security enhancements!

I guess my point is why does it need to be attainable online in some shape or form? I can see why you'd want law enforcement data like that, but to house employee data is just asking for it.
Click to expand...

When you obtain employment within the fed gov or cleared contractor and they require a security clearance. They will direct you to this OPM website. This site pretty much allows you to fill out the SF-86 online and submit it. Honestly the interface is quite good. It branches quite well and authenticates the SF-86 quite well.

As a developer I know that no matter how strong you make a system, if there is a way to get in there will always be a way to get in!!!
 
I don't think this info will be used for fraud or identity theft. If it was the Chinese who got the data, it will be used for espionage, to try to get people to spy for them.

"Look, we aren't asking you to be a traitor. We're just asking for a little help so we don't have to tell your family or your wife about the incident. We can get the same information from the papers eventually and all we're asking is for you to give it to us directly. It's the same information they will release anyway, there's no harm in that. And you don't want your wife to find out about what happened before you met her, do you? Imagine how your kids will feel when it's all over the local papers and their friends find out."
 
kranky said:
I don't think this info will be used for fraud or identity theft. If it was the Chinese who got the data, it will be used for espionage, to try to get people to spy for them.

"Look, we aren't asking you to be a traitor. We're just asking for a little help so we don't have to tell your family or your wife about the incident. We can get the same information from the papers eventually and all we're asking is for you to give it to us directly. It's the same information they will release anyway, there's no harm in that. And you don't want your wife to find out about what happened before you met her, do you? Imagine how your kids will feel when it's all over the local papers and their friends find out."
Click to expand...

This is one time I am hoping this was government-backed, as it would be as you say: a lesser likelihood that this information is sold on the black markets to be used for identity theft.
 
Don't worry, I'm sure the government agencies or whoever was responsible for this breach has plenty of liability insurance. It's business as usual for them and they don't care. 😛

This does sound pretty bad though. This is only in the US right? I guess I don't have to worry, for now... But so many companies and agencies have our info now days, and they really don't care about security, so it's pretty much a ticking time bomb at all times.
 
Gillbot said:
Is there a way aside from sitting back and waiting to find out if your info has been compromised?
Click to expand...
In theory, you can go to a gov website to find out.

But that was prior to the last revelation.

Best to figure that if you had anything to do with clearances and/or Fed gov employment after 2000, you have been compromised.
 
steppinthrax said:
This is pretty crazy.

If anyone has Security Clearance (like me) they would know the process and the "full compliance" of information you have to provide on the SF-86 to obtain clearance.

Just imagine this get's released onto some dark website somewhere. People will see some very very very very private information about these individuals.

Far beyond on who has a clearance or not!!!!
Click to expand...

Yeah.... I've been parsing the Homeland Security bulletin and IOCs within with all the suspect files and md5 hashes. I've been helping customers automate the discovery of those files with my endpoint management agent.

MD5? Really? Sha1 and Sha256 are so much better for this than MD5 as MD5 will have false positives.

Federal gov't IT needs to get with the times.
 
Is it wrong that I'm not as worried about this data breach as I am about all that DNA they took from us years ago for "studies"?
 
Remember when you got asked "Could this information ever be used against you as blackmail?"

Time to put your money where your mouth is.
 
Amazing,Obama's campaign worker with no IT experience was an epic fail, and the cover up didn't work. Nothing new.
 
kranky said:
I don't think this info will be used for fraud or identity theft. If it was the Chinese who got the data, it will be used for espionage, to try to get people to spy for them.

"Look, we aren't asking you to be a traitor. We're just asking for a little help so we don't have to tell your family or your wife about the incident. We can get the same information from the papers eventually and all we're asking is for you to give it to us directly. It's the same information they will release anyway, there's no harm in that. And you don't want your wife to find out about what happened before you met her, do you? Imagine how your kids will feel when it's all over the local papers and their friends find out."
Click to expand...

I agree. Go through the SF86s and figure out who was a gambling addict, a kiddy toucher, etc. Then use as blackmail for nefarious deeds.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top