OPM breach exposed SSNs, personnel records of all fed workers

As it becomes apparent that the federal data breach experienced by the Office of Personnel Management (OPM) is larger than first believed, exposing the Social Security numbers and personnel records of every federal worker - and as reports emerged that some of those records had surfaced on the darknet - members of Congress clashed over languishing cyber-security legislation.

OPM breach exposed SSNs, personnel records of all fed workers
OPM breach exposed SSNs, personnel records of all fed workers

As it becomes apparent that the federal data breach experienced by the Office of Personnel Management (OPM) is larger than first believed, exposing the Social Security numbers and personnel records of every federal worker – and as reports emerged that some of those records had surfaced on the darknet – members of Congress clashed over languishing cyber-security legislation.

In a letter to OPM Director Karen Archuletta (found here on scribd.com), American Federation of Government Employees (AFGE) President David Cox said, “Based on the sketchy information OPM has provided, we believe that the Central Personnel Data File was the targeted database, and that the hackers are now in possession of all personnel data for every federal employee, every federal retiree, and up to one million former federal employees.” 

Included in that is “every affected person's Social Security number, military records and veterans' status information, address, birth date, job and pay history, health insurance, life insurance, and pension information; age, gender, race union status, and more,” he said.

Chris Roberts, founder and CTO of OneWorldLabs (OWL) told FoxNews that login credentials into OPM systems have already hit the darknet. “The recent OPM breach was identified, noted and the credentials and identities have been discovered online and are being traded actively,” Roberts said in the report. Roberts, who recently caught flack from the FBI for allegedly hacking into airplane systems, added that typically means accounts "are usually ‘live' and are part of a larger breach.”

Calling the breach a “travesty,” Richard Blech, CEO and co-founder of Secure Channels said in emailed comments to SCMagazine.com that “while you can get a new credit card number, you are not going to get a new Social Security number or some of the other user identity sensitive data.”

The breach “is going to cost the government and – as usual – the taxpayers billions to clean up this mess, and the repercussions of this breach will have effects for many years to come,” Blech predicted.

Phil Lieberman, CEO of Lieberman Software, took the federal government to task for preaching security to private industry but not taking that advice to heart itself.

“It is a tragedy that the executive branch, as well as NIST and NSA, have been preaching the gospel of security by design, segmentation of data and control, proper identity management, as well as effective monitoring,” Lieberman said in comments emailed to SCMagazine.com. “Here with OPM we have an agency entrusted with the defense of its government employees ignoring the guidance given by the government, as well as failing to implement off-the-shelf technologies that are common to the commercial realm.”   

Noting that in “every tragedy there is an opportunity to create a better future,” Lieberman said President Obama will now be tasked with dealing with serious threats from the outside and weaknesses from inside government. “I hope that the legislature backs him, as well as the unions, to change the government so that there will not be a repeat of this scenario (or at least make future attacks less effective),” he said.

Indeed, Senate Majority Leader Mitch McConnell, R-Ky., used the breach to try to push through the Cyber-security Information Sharing Act (CISA) as an amendment to the Defense Authorisation Bill and admonished Democrats for playing politics if they attempt to block the bill, infuriating senator Harry Reid. 

Page 1 of 2