The computer breach of millions of U.S. government files appears to be growing both in size and scope.
And that, increasingly, has both cyber-security professionals and legions of federal employees seriously concerned.
An American labor union said on Thursday that hackers are now in possession of sensitive personnel information on all federal employees following a major cyber intrusion that U.S. officials say originated in China.
Officials at the Office of Personnel Management, or OPM, announced in early June that a massive data breach had been discovered in April, and that as many as four million personnel files of current and retired federal employees may have been compromised.
Investigators said that the hack appeared to begin around December 2014 and continued until it was discovered four months later. They also said that it appeared the attack originated within China.
Bloomberg reported this week that unnamed lawmakers briefed on the investigation said the number of compromised files could be much higher – as many as 14 million – and that hackers may have had access to federal computer systems for over a year.
The OPM serves, in part, as the U.S. government’s bookkeeper, and keeps the personnel records of all non-intelligence, non-military employees of the Executive branch of government. The U.S. Congress, Supreme Court, military and intelligence services keep their own records.
Those files contain large amounts of private and sensitive information, including family history, Social Security numbers, security clearances and financial details.
In a report published in November 12, 2014, the OPM’s inspector general harshly criticized the agency for having lax cyber-security, failing to encrypt data, and not maintaining a comprehensive map of where its data was stored.
In a letter this week to OPM, J. David Cox, the head of AFGE, one of the largest labor unions representing federal employees, wrote that “hackers are now in possession of all personnel data for every federal employee, every federal retiree, and up to one million former federal employees.” Cox called the breach “indefensible and outrageous.”
OPM has not commented on what specific files or information may have been stolen or who was affected.
While federal employees are rightly concerned about their private information potentially now in the hands of unknown hackers, cyber-analysts are increasingly worried the stolen files may represent a much larger security risk across the government as a whole.
Among the information in OPM personnel files is what’s known as the SF-86 form. Over 100 pages long, the SF-86 is used to grant various security clearances to federal workers and contains vast amounts of personal, educational, employment, and financial histories, as well as information on an individual’s activities overseas.
John-Pierre Auffret, director of the MS Management of Security Information Systems program at George Mason University, says the tools used by hackers are becoming cheaper, more abundant, and increasingly automated.
That gives hackers an asymmetric advantage over cyber-security professionals trying to keep databases safe, he said.
Auffret also cautioned the private data possibly stolen by the hackers raises a host of security concerns.
“If the data included clearance information, there’s a lot of information there that would put them [federal employees] at risk for blackmail,” Auffret said. “In addition, there would be listings of foreign contacts, individuals they’ve had contact with, which could be traced and put those people at potential risk as well.”
Tim Maurer , the director of the Global Cybersecurity Norms and Resilience Project at the New America Foundation, says that in addition to blackmail and contact tracing, the OPM data breach poses other serious cyber-risks as well.
For example, Maurer said information contained in the OPM files could be used to construct very detailed profiles of individuals working in key positions in the federal government. That profile, in turn, could be used to construct sophisticated spear-phishing attacks on those individuals, earning their trust only to steal more information or download malware.
“If it turns out this was a state actor, you could easily see how they could use this [data] for intelligence purposes,” Maurer said. “If we’re talking about spear-phishing attacks, these could also be used to steal even more data down the road that’s confidential.”
Maurer said that this wealth of private data isn’t just valuable now, but could be held onto for years when it may, in fact, become even more valuable.
“Or you could even imagine them storing the data and seeing more junior officers who are rising through the ranks, all that information in their security clearance documentation, that would become much more useful as they rise to senior positions for a variety of purposes,” he said.
Both Maurer and Auffret said that encryption is one of the more successful tools to fight hackers, not because it prevents intrusions but it renders the data useless without the encryption keys. The OPM data was not encrypted.
Given the vast amounts of information OPM manages, and the ease of hacking these days, analyst Auffret says it’s unlikely OPM, or any other larger governmental agency, could ever secure its entire system.
“It’s very difficult to secure everything, but if you prioritize key assets such as personnel databases, the industrial control systems and financials, then you have a much better chance of being successful,” he said.