The hack of the US government Office of Personnel Management (OPM) uncovered the complete file of infidelities, unusual sexual practices and fetishes, drug abuse, debt troubles, alcoholism, gambling problems and more of millions of US government staff, a senior US official has admitted.
The information about the highly personal, often criminal, behaviour of US government staff was in a file of “adjudication information” that US security keeps on government employees and contractors when they apply for security clearances.
It comes in addition to the earlier admission that the attackers had downloaded “Standard Form 86” disclosures – confessions freely made by staff of indiscretions that might compromise them in their roles, which they were required by the terms of their contracts to divulge to their employer, who would adjudicate accordingly.
The hack of government employees’ most intimate security records, which were centralised at the OPM, has been described as the most devastating known hack in history. It is believed to have been perpetrated by hackers working for China’s own security services, and its release could wreak havoc on the lives of people named in the file, whose all-important social security numbers were also included in the file. There are fears that the details could also be used in a mass identity theft.
Some information from the OPM has already found its way into the public domain – albeit with names unpublished. Many of the cases involving debt relate to medical debts, but more salacious details include case number 12-06311.h1: “Applicant engaged in a long-distance extra-marital affair with a friend’s wife for more than 20 years. However, the Department of Defense is aware of the affair because Applicant listed it on his Questionnaire for National Security Positions; the affair is over; and Applicant told his wife about the affair. Clearance is granted.”
Perhaps most ominous of all, though, is that the higher up the US civil service and government someone has ascended, the more “dirt” the system will have retained about them, and hence more opportunities for blackmail and worse.
The loss of information in such a sensitive system also raises the question of exactly how far in to US systems the hackers were able to penetrate – and suggests that even Washington does not know the full extent of the attack and information lost.
In the aftermath of the attacks, officials have pointed the finger of blame at each other. The head of the OPM, Katherine Archuleta, acknowledged in a congressional hearing that she was responsible for keeping the files safe – but blamed the hackers. Another executive at the agency has disputed that the official account of one of his staff was used by the hackers in the attacks.
According to PBS News, “Archuleta said it was the responsibility for protecting records of her and her chief information officer, but she again sought to steer blame to the hackers, whom she described as a ‘very dedicated, focused actor’. Asked directly about reports that US officials blamed China’s government, she responded: ‘That’s classified’.”
KeyPoint Government Solutions, meanwhile, one of the contractors used by the OPM, has denied that it had any responsibility for the attack. However, Archuleta had earlier blamed the company, claiming that the hackers had used stolen KeyPoint credentials in their attack.
The aftermath of the attack has exposed the poor quality of IT systems and their management at senior US government levels. Indicating, perhaps, that the US National Security Agency ought to have first focused its know-how on them in order to identify such weaknesses before seeking to hack computer systems elsewhere in the world.