What Is the OPM Hack, and What Does it Mean For You?

Andre Infante 16-07-2015

Hacks happen. It seems like it’s almost every month that some large corporation flubs their computer security, and lets hackers make off with data on millions of users Target Confirms Up To 40 Million US Customers Credit Cards Potentially Hacked Target has just confirmed that a hack could have compromised the credit card information for up to 40 million customers that have shopped in its US stores between November 27th and December 15th of 2013. Read More . But what happens when it’s not a corporation, but the US government?


For weeks now, the news coming out of the Office of Personnel Management (OPM) has been getting steadily worse. The OPM, a little-discussed government office that stores records on employees, has been the subject of a hack of truly historic proportions.

The exact numbers have been challenging to get a handle on. When the hack was first announced, investigators were assured that the breach was discovered promptly using the government’s EINSTEIN internal security program, and it affected the records of around four million employees.

Since then, it’s become clear that the hack was discovered accidentally, long after it occurred – and the actual number affected is more like twenty-one million.

Unfortunately, computer security can tend to be confusing and dry. Despite all the reporting, many of you still may not have a good understanding of what was taken, how it happened, or how it affects you. I’m going to make an effort to break it down and answer some basic questions about the issue.

How Did The Hack Happen?

There have been signs that this sort of thing was likely for a while. The Snowden leak Hero or Villain? NSA Moderates Its Stance on Snowden Whistleblower Edward Snowden and the NSA's John DeLong appeared on the schedule for a symposium. While there was no debate, it seems the NSA no longer paints Snowden as a traitor. What's changed? Read More revealed just how bad federal computer security can be, even within the theoretically expert NSA. The situation at the OPM was even worse. The open had no security employees at all until 2013. They’d been repeatedly warned that their security practices were vulnerable to intrusion Worse Than Heartbleed? Meet ShellShock: A New Security Threat For OS X and Linux Read More .


The picture of incompetence is completed by reports that the incursion was discovered during a sales presentation by a company called CyTech Services, who found the malware while demonstrating their security scanning tool. It’s not clear how long hackers had access to the system, but ‘years’ is a plausible guess.


Unfortunately, this is far from an isolated incident among government agencies, and that shouldn’t surprise you. Look at the incentives: if Target is hacked, they lose millions of dollars in lawsuits and lost sales. The company takes a hit, and their competitors eat up market share. If a government office makes the same mistake, very little actually happens. They fire a few sacrificial lambs and try to look solemn during the hearings, and wait a few weeks for the 24-hour news cycle to get distracted by something shiny.

There’s very little practical incentive to change, and very few laws exist regarding cybersecurity. Of the few laws there are (like FISMA, the Federal Information Security Management Act), most aren’t followed closely. Around 75% of the OPM’s computer systems did not comply with that law.


This is a situation that is bad and getting worse. The Government Accountability Office reported in April that the number of security breaches at federal agencies skyrocketed from 5,500 in 2006 to more than 67,000 in 2014. In an interview with Re/code, Gregy Wilshusen, the author of the report, says this is because agencies often have crippling flaws in their internal security procedures, and often don’t fix vulnerabilities once they’re uncovered.

“When we evaluate these agencies, we often find that their internal testing procedures involve nothing more than interviewing the people involved, and not testing the systems themselves […] We consistently found that vulnerabilities that we identify as part of our testing and audit procedures are not being found or fixed by the agencies because they have inadequate or incomplete testing procedures.”

What Was Taken?


Another point of confusion has to do with the nature of the information the hackers had access to. The truth is that it’s pretty diverse, because several databases were accessed. The information includes social security numbers for just about everyone – which presents a huge threat of identity theft all by itself. It also includes 1.1 million finger print records, which endangers any system that relies on biometrics.

Most alarmingly, among the records stolen were millions of reports obtained during background checks and security clearance applications. I’ve participated in a number of background checks, as an alarming number of my old college friends now work for the US federal government. These background checks dig deep. They talk to your family, your friends, and your roommates to verify your entire life biography. They’re looking for any hints of disloyalty, or involvement with a foreign power, as well as anything that could possibly be used to blackmail you: addiction, infidelity, gambling, secret homosexuality, that kind of thing.


In other words, if you’re looking to blackmail a federal employee, this is pretty much a dream come true. The background check system has shut down in the wake of the hack, and it’s not clear when it’ll be operational again.

There’s also the larger concern that the attackers had access to these systems for a long time.

Who’s Affected?

Twenty-one million is a big number. The range of those directly affected spans current and former federal employees, as well as those who applied for a security clearance and were turned down. Indirectly, anyone close to a federal employee (think family, spouses, and friends) could be impacted if their information was noted in the background check.

If you think you might be affected by this, the OPM is offering some basic identity-theft protection resources in the wake of the incident. If you’re among those directly compromised, you should get an email, as the OPM figures out exactly who was affected.


However, these protections only account for identity theft and other fairly basic attacks using the data. For more subtle stuff, like extortion, there’s a limit to what the government can do. The protection only lacks 18 months – a patient hacker could easily sit on the information for that long.


What Will the Data Be Used For?

Lastly, we have the million-dollar question. Who took the data, and what are they planning to do with it? The answer is that, unfortunately, we don’t really know. Investigators have pointed their fingers at China, but we haven’t seen any concrete evidence released to back this up. Even then, it’s not clear whether we’re talking about Chinese freelancers, the Chinese government, or something in between.

So, without knowing the attackers or their motives, what could be done with this data?

Right off the bat, some obvious options present themselves. Social security numbers are not easily changed, and each one can be used in a potentially profitable identity theft. Selling these for a few dollars each, over time, could net a healthy nine-figure payday What Motivates People To Hack Computers? Hint: Money Criminals can use technology to make money. You know this. But you would be surprised just how ingenious they can be, from hacking and reselling servers to reconfiguring them as lucrative Bitcoin miners. Read More for the hackers, with nearly no effort.

Capturing the Flag

Then there’s nastier options. Let’s say you’re a foreign power and you come into contact with this information. All you need to do is find a federal employee with access to a critical system, who you have some dirt on via the hack. Maybe the first one is willing to let their infidelity/addiction/sexuality become public to protect their country. But you have millions of possible targets. Sooner or later, you’re going to run out of patriots. This is the real threat, from a national security perspective – though even a freelance hacker could use this to extort money or favors from millions of innocent people.

Security expert Bruce Schneier (who we spoke to on issues of privacy and trust Security Expert Bruce Schneier On Passwords, Privacy and Trust Learn more about security and privacy in our interview with security expert Bruce Schneier. Read More ) has speculated that there’s an additional risk that the attackers could have tampered with the contents of the database during the time they had access to it. It’s not clear that we’d be able to tell the database had been modified. They could, for example, potentially have given security clearance to foreign spies, which is a frightening thought.

What Can We Do?

Unfortunately, this is probably not the last hack of its kind. The kind of lax security procedures we see in the OPM are not uncommon in government agencies of its size. What happens if the next hack turns off electricity to half the country? What about air-traffic control? These aren’t ridiculous scenarios. We have already used malware to attack infrastructure; recall the Stuxnet virus, likely the work of the NSA Could These NSA Cyber-Espionage Techniques Be Used Against You? If the NSA can track you – and we know it can – so can cybercriminals. Here's how government-made tools will be used against you later. Read More , which we used to physically destroy Iranian nuclear centrifuges?

Our natural infrastructure is embarrassingly vulnerable, and deeply crucial. That’s a situation that’s not sustainable. And, as we read about this hack (and the next one), it’s important to remind ourselves that this is not an issue that goes away when the news cycle gets distracted, or when a few employees are fired. This is a systemic rot, one that’s going to keep hurting us, over and over, until we actually fix it.

Were you affected by the hack? Worried about low standards of computer security? Let us know in the comments!  

Image credits: Defcon ConferenceCrypto Card Two FactorUS Navy CyberDefenseCredit Card Theft, Keith Alexander

Related topics: Computer Security, Hacking, Online Security.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *