Tag Archives: SF-86

Second OPM Breach Disclosed- Worst Case Scenario Likely

The OPM has admitted that the 4 million record number is way low, the number is likely around 14 million and the SF-86 data, which OPM initially said was not compromised, was, in fact, hacked.

In a statement to Bloomberg News on Friday, agency spokesperson Samuel Schumach (see article) said

Investigators have “a high degree of confidence that OPM systems containing information related to the background investigations of current, former, and prospective federal government employees, and those for whom a federal background investigation was conducted, may have been exfiltrated,”

If true, what this means is that if you have applied for a security clearance with the government since the 1980s, your data may be in the hands of the Chinese government.  It would appear that whether the clearance was granted or not or is active or not – in any of these cases – your data may be compromised.

I do think that OPM is having problems figuring out how long the hackers were inside, what they took and where it went.  Assuming their systems are the twisted ball of baling wire and chewing gum that I suspect they are, we may never know the whole story.

The problem, if they did get the SF-86s as it appears that they did, is the nature of the data in the forms.  Depending on the level of clearance, there are also interviews with you, references, neighbors, business associates and former neighbors.  It is certainly possible that this data was also compromised.  If so, the 14 million number will start to look very small.

While the CIA and other intelligence agencies keep their records separate, IF an agent was in the military or at a defense contractor, their data may be part of the disclosure.

If you completed an SF-86 you are required to disclose information such as arrests, prior drug use and other very sensitive information which could make these people targets of blackmailers and could have a very negative impact on people’s job, families and personal safety.

Giving someone who had this type of information compromised 18 months of credit monitoring will not help very much.   And, since it is almost impossible to sue the government, people really have very little recourse unless Congress decides to act.

I guess we will keep hearing more about this – I do not think this is over yet.

OPM Breach – What Was Taken?

The government seems to be avoiding telling us what information was taken.  This could be because they don’t know – or because they do know.  One speculation that keeps coming up, and that the OPM has not denied, is that the hackers got SF-86 data.  If that is true, that is a problem.  I will explain in a moment, but the OPM has admitted that the data was not encrypted.  Other people in the know have said that the government is focusing too much on perimeter security.  While perimeter security is important, it does little for the case where your employees invite the attackers in by, say,  clicking on a link.

The SF-86s, if they were compromised, would be the holy grail for attackers like China trying to build a database of federal government employees and contractors.  If you apply for a government security clearance, you fill out an SF-86.  In that form you tell the government about yourself – where you have lived, where you have worked, every family member, your friends, your references, etc.

While we don’t actually use the SF-86 form itself any more – eQIP, a web based system replaced it – the blank form is still available here.  I don’t know, but I suspect, that eQIP is just a web front end that generates and validated the data and then produces an SF-86 for the actual government process.

To give you an idea of how invasive the SF-86 is, the form itself is 127 pages long.

Besides information like your social , date of birth, place of birth, height, weight, other names you have used, citizenship information – including naturalization information if you became a citizen, where you went to school and even more information, it asks about any crimes you were convicted of.

It also asks for some of that information, like socials for your relatives, so all of a sudden, that 4 million identities becomes 40 million.  I am not clear if the OPM is going to notify all those people that their information has been compromised as well.

SO, if you are merely an identity thief, you know have a vast database of information that cannot get replaced like a credit card can be, of information to answer security questions and create false identities to commit crimes.

If you are a foreign power and you want to commit espionage, you now have the data to figure out who can be blackmailed and for what.

And, there is really NOTHING that you to protect yourself.

And, you cannot sue the government, no matter what happens.

It is really, pretty much, a mess.

Explain to me how 18 months of credit monitoring will help you against being blackmailed.   Or protect you from a identity thief using that information to get access existing financial resources.

I was reading about Lifelock after I wrote the post on identity protection services yesterday and their higher end plans ($220-$330 a year, if you buy in advance) do offer to monitor your checking and brokerage accounts, but they do not say how.  The only way I can see that working is if you give them access to your accounts.  If true, you are counting on them not being breached and, at least for my bank, they say that if you give someone access and there is fraud, the bank is no longer responsible to make you whole.  And even if you do subscribe to this, it reports after the fact – after the crook has stolen your money.

I don’t think there is an easy way out of this one, unfortunately, *IF* the attackers got millions of SF-86s.

Attackers are getting smarter and businesses in general, are not keeping pace.

If someone broke into your network and stole your equivalent of SF-86s and quietly left, would you even know?  What would the impact on your business be if you lost your customer lists, trade secrets, patent applications, business processes or other crown jewels?

Ponder that for a moment.