The OPM Hacking Scandal Just Got Worse by John Schindler.
From the post:
The other day I explained in detail how the mega-hack of the Office of Personnel Management’s internal servers looks like a genuine disaster for the U.S. Government, a setback that will have long-lasting and painful counterintelligence consequences. In particular I explained what the four million Americans whose records have been purloined may be in for:
Whoever now holds OPM’s records possesses something like the Holy Grail from a CI perspective. They can target Americans in their database for recruitment or influence. After all, they know their vices, every last one — the gambling habit, the inability to pay bills on time, the spats with former spouses, the taste for something sexual on the side (perhaps with someone of a different gender than your normal partner) — since all that is recorded in security clearance paperwork (to get an idea of how detailed this gets, you can see the form, called an SF86, here).
Do you have friends in foreign countries, perhaps lovers past and present? They know all about them. That embarrassing dispute with your neighbor over hedges that nearly got you arrested? They know about that too. Your college drug habit? Yes, that too. Even what your friends and neighbors said about you to investigators, highly personal and revealing stuff, that’s in the other side’s possession now.
The bad news keeps piling up with this story, including reports that OPM records may have appeared, for sale, on the “darknet.” Even more disturbing, if predictable, is a new report in the New York Times that case “investigators believe that the Chinese hackers who attacked the databases of the Office of Personnel Management may have obtained the names of Chinese relatives, friends and frequent associates of American diplomats and other government officials, information that Beijing could use for blackmail or retaliation.” (emphasis in original)
The fallout from the OPM hack does seem to worsen but the quality of reporting on the hack remains fairly constant, as in poor.
The New York Times continues to parrot the unofficial government line that China was behind the OPM hack. Could be true but why would the Chinese government want to sell OPM records on the “darknet?” That seems to contradict the state enterprise line. Yes?
The media has failed to followup on who in the OPM was responsible for security and what steps have been taken to hold them accountable for this rather remarkable data breach.
Unless and until the holders of data have “skin in the game” for data breaches, data security will not improve.