So what if the hackers instruct the US government SS administration to list these people as “retired”-and starts sending them checks? This could get interesting-stay tuned.
That was the case even in 1994 when I left Federal employment. We all had to chip in for a fridge to store lunches, an office coffeepot and supplies, and a microwave, let alone silverware and napkins.
I can’t for the life of me figure out how I would have found out about this breach if I didn’t read the newspaper. I have moved several times since I left Federal employment, and I doubt they are going to put a whole lot of effort into looking for me.
I guess I will have to call OPM and see what the deal is. That ought to be fun - I’m sure they are slammed at the moment.
Leave it to someone to blame the President.
They don’t have that kind of access. This was a data theft like any other; they got a bunch of SSNs and can use the information to try to obtain credit in someone’s else’s name, or sell the SSNs to someone else who will do so.
My agency has informed us that OPM will provide 18 months of credit monitoring, and that if I was one of the compromised ones, I will be contacted directly by the monitoring firm (and probably a lot of other individuals and companies as well :rolleyes:).
Well certainly not Clinton who doesn’t understand that a Blackberry, an iPad and a phone are actually three separate devices and not just one.
This depends on your definition of “ancient.” Network security software does get updated on a regular basis, and the federal government, generally speaking, takes data security very seriously. Employees in my agency are required to take annual data security training, in which we are reminded not to fall for phishing attacks, not to open attachments/links from unknown senders, not to give passwords over the phone, and so on. We also have a phone number we can call if we suspect a network security breach, and it puts a whole team of network security folks into play. Some of the systems I interact with (e.g. the Federal Acquisition Institute) require you to change your password every few months, and will lock you out if you guess your password wrong just a few times in a row.
As with any organization, there will be security holes, often created by someone not following official procedures, despite the government’s best efforts to train them. Hackers, poking and prodding the system 24/7, will eventually find those holes and exploit them, especially if the target is valuable enough (e.g. a database containing personal identifying information for millions of federal employees). Without knowing exactly what happened in this particular breach, it’s misguided to suggest that the government hasn’t exercised due diligence with regard to the security of its employees’ personal info.
Really, anyone surprised ?
Any idea how they intend to hunt down former employees who aren’t currently on the radar because they have no reason to be, i.e. they are not receiving pensions, etc.?
No offense, but the fact that you consider your list here “tak[ing] data security very seriously” is the reason why most federal agencies have piss poor security postures. The reason IS most people don’t care. Data, system, and network security hinder getting work done. For 90% of government employees, getting work done is their main concern. Anything else is just something that is bothersome. Annual training? Nobody likes doing that. Everyone just clicks “next” as fast as possible to get credit for taking it. Password gets locked out? Call a number and have them reset it, even though they have no idea who you are.
Must is made of the fact that hostile adversaries use “sophisticated attacks” and “super cyberweapons” when a simple email with a malicious attachment sent to an entire agency is almost 100% effective. Look at the contracts for network security. It is never 100% implementation of critical security patches or updates. If your network security is contracted out, they only care about conforming to the contract, not whether the network is secure or not. Further, the companies are not responsible nor liable for any attack that occurs. I expect to see more and more big data breeches in government networks.
Why is this a problem in government networks specifically? You don’t think the employees at say Ford forget their passwords and have to call to get them reset? You don’t think bank employees zip through their security lessons as quickly as possible? All I’m seeing here is a lot of “GRRRR! I hate government! Government Bad! Government Always Bad!”
The memo we got did not say anything about former employees. I assume the federal government can find you if really wanted to, but I don’t know that they would give those tools to the credit monitor. It might not be a bad idea for you to call OPM or your former agency and update whatever address they may have for you.
Oh, I’m not saying it is not a problem in non-government networks. But I don’t think people should be expecting government networks to be any more secure than commercial ones. Disclaimer, I’ve never worked on any commercial networks, only government ones.
Agreed. An attacker with enough time and resources will be able to break into a target almost 100% of the time. A sufficiently complex enterprise presents such a large attack surface that eventually the bad guys will find a weakness. This is not to say that organizations should just throw in the towel and take no steps to defend themselves. They need to continually raise the bar to make it as hard as possibly for the bad guys to break in, and hope that the bad guys run out of time, patience, and/or resources and move on to other targets. But, if your adversaries are a large number of people who are paid to clock in every day and bang on your systems, possibly with the resources of a nation behind them, they will get in.
I would hope that the President spends his time on issues at a higher level than the security controls implemented by one of the vast number of government agencies. Jesus, corporate CEOs for the most part can’t even be bothered to get involved with the nuts and bolts of information security, and they’re not walking around wondering if today is the day they’ll have to bomb North Korea.
Hey, anyone know how much of the National debt China owns? Let’s fine them that much.
I’ve always wanted to meet Jude Law.
THe knives haven’t come out. At all. In fact, I’m annoyed, not that Obama isn’t being raked over the coals, but that the government is going easy on itself when it came down like a ton of bricks on Target. This incident should be treated with just as much seriousness. Heads should roll.
So is assuming that when things go wrong it’s always because there wasn’t enough money. The government has 20%+ of GDP to spend. Any 536 morons(Congress+the President) should be able to meet most priorities with a $3 trillion pot.
Whose heads do you think should roll in the OPM data breech?
There’s no reason a lot of this stuff has to be on computers connected to the internet.
Tthe breach goes back to data from 1985.
http://www.reuters.com/article/2015/06/06/us-cybersecurity-usa-idUSKBN0OL1V320150606
I’ve seen news articles that mention former employee data was also affected. The last address the DOJ (my former agency) has for me is circa 1994. I think I will try to give them a call, but it may take some work to get through to the right person. If you have more specific contact info than just “call OPM,” would you please post or PM me?
ETA; whaddaya know, they’re actually being kind of proactive, though a letter sent to my last known postal address isn’t going to be so useful.