OPM Hack

[audette]

When news first hit about it, I seem to recall reading somewhere that military records were not impacted. We haven't heard anything different.

As a contractor (you), I'm not sure what your risk would be with the hack, though.

[killercupcake]

My friend works in the OPM, so I can see if he knows, but I don't know when he'll get back to me. He's the press secretary, so this week has been a nightmare for him. heh.

[killercupcake]

www.opm.gov/faqs/topic/cybersecurityinformation/

Just kidding, he tweeted this out.

[audette]

So, maybe I was doing a bit of a "head in sand" routine... Turns out DH now thinks his records were likely impacted. I saw an article yesterday that mentioned the SF86 form, and when I mentioned that to DH his response was "oh shit".

He still has received no news (as of Saturday, I don't think he checked his work email yesterday, and hadn't yet today by the time we last spoke). So, we're working blind. Some of the folks on the money matters board here are discussing the breach and what steps might be useful to take, so it might be worthwhile for you to check there, @happybythekilowatt.

[amaristella]

Jun 15, 2015 8:05:35 GMT -5 @happybythekilowatt said:

Update (link from CEP) www.theatlantic.com/national/archive/2015/06/federal-data-hacking-worse/395807/

And that is exactly what I just came here for. DH sent me a link and I wanted to know if anybody had gotten wind of it.

This the Navy Times article he sent me.
www.navytimes.com/story/military/2015/06/17/sf-86-security-clearance-breach-troops-affected-opm/28866125/

[amaristella]

I cannot confirm this, but DH also mentioned to me that he believed that management of the system had been outsourced to China up to and including root access to the system. That is a particularly bold accusation, but if it's true it represents an incredible degree of negligence.

Edit: This is the source of the accusation.

"Some of the contractors that have helped OPM with managing internal data have had security issues of their own—including potentially giving foreign governments direct access to data long before the recent reported breaches. A consultant who did some work with a company contracted by OPM to manage personnel records for a number of agencies told Ars that he found the Unix systems administrator for the project "was in Argentina and his co-worker was physically located in the [People's Republic of China]. Both had direct access to every row of data in every database: they were root. Another team that worked with these databases had at its head two team members with PRC passports. I know that because I challenged them personally and revoked their privileges. From my perspective, OPM compromised this information more than three years ago and my take on the current breach is 'so what's new?"

[cattledogkisses]

So H has filled out SF86. We haven't heard a peep about this through any official channels. What should we be doing right now? I have no idea how to even approach this mess.

[amaristella]

Jun 18, 2015 15:57:03 GMT -5 cattledogkisses said:

So H has filled out SF86. We haven't heard a peep about this through any official channels. What should we be doing right now? I have no idea how to even approach this mess.

IMHO, for most people, keep on keeping on. Follow all the same PERSEC precautions that you would normally.

Think of it from a criminal's perspective. What would someone who is not well-meaning do with that info? A couple things I think of would be:

1.) Credit fraud. SS#, address and name info.
2.) Scamming the people you know (pretending to be you, trying to get money out of them.)

In a worst case scenario where say, your home address or employer information are still the same I would want to be a little more vigilant than usual with regards to personal attacks. And probably the higher the clearance that someone has, in combination with the riskier or more vulnerable a person's current location would determine what more personal security steps would need to be taken. Meaning, if someone has a super high clearance and is stationed in a hostile area, that might be an issue. But then again it probably already was and security precautions were probably already being taken. I don't want to minimize anybody's concerns, but take a moment to think through it for your individual situation.