back to article US OPM boss quits after hackers stole chapter and verse on 21.5m Americans' lives

The director of the US Office of Personnel Management has handed in her resignation in the wake of further revelations about the scale of the hacking attack on the agency. "This morning, I offered, and the President accepted, my resignation as the Director of the Office of Personnel Management," she said in a statement. "I …

  1. drone2903 in Kanuckistant

    error in title...

    Last month, the OPM admitted that the personnel records of 4.1 million federal government employees had been stolen from its servers by hackers unknown. Then on Thursday the OPM revealed that an additional 21.5 million dossiers...

    So that 25 million Merkans lives...

    that we know about...

    so far...

    1. diodesign (Written by Reg staff) Silver badge

      Re: error in title...

      Well, no. There's an overlap in the original 4 million whose SSNs and addresses and stuff like that were leaked, and the 21.5 million is the background checks and similar information. Two different databases. Same group of people. It's all a bit of a mess, really.

      C.

      1. PleebSmash
        IT Angle

        Re: error in title...

        And there's another number floating around: 32 million current, former and prospective federal employees potentially compromised.

        Archuleta couldn't handle the mess.

        1. Hollerith 1

          Re: error in title...

          And why would she want to? Given that the neglect has been systemic for more than the two years of her tenure, there's no reason for her to keep on being broiled alive.

  2. Yoda123

    Trust the government - Give them encryption backdoors.

    The most disturbing aspect of this is the fact that one side of the Government is pushing for back-doors in encryption technology, and another side of the Government is losing the data that can allow the key-holders of the back-door to be blackmailed. Bravo!

    1. Anonymous Coward
      Anonymous Coward

      Re: Trust the government - Give them encryption backdoors.

      Well when millennials are willing to give away all privacy (they don't even seem to understand the concept) to corporations for little more than trinkets what does the government have to fear?

      1. Anonymous Coward
        Anonymous Coward

        Re: Trust the government - Give them encryption backdoors.

        "If you have nothing left to give you have nothing to fear"

  3. Eddy Ito

    Sorry, when I see statements like these:

    ... an additional 21.5 million dossiers... had been filched by hackers. The intruders had spent six months in the agency's servers.

    the agency wasn't even sure how many computer networks it had.

    I say that translates to 'we don't know what they took, how long they had been there or how well they really covered their tracks.'

    As a result I would posit that if you ever filed for a security clearance then you can safely assume that your data was taken. This is no different from walking into the room of the worst hoarder and trying to figure out what was stolen over the course of who knows how long by looking where the dust was disturbed.

    1. tom dial Silver badge

      "if you ever filed for a security clearance..."

      I expect not. OPM was quite a bit behind in digitizing old documents, probably including the security clearance questionnaires and any information collected during background investigations. From 2003 or so the SF-86 form was a filled PDF served by OPM, and I think the background investigation data was set up similarly; those surely are gone. SF-86 before then and other similar forms such as the SF-85p may still exist only on paper. Newer ones and the related background investigation data probably were digitized as received and older ones would have been done as time and other resources allowed; some of those may not be gone, but the more recent ones that matter the most probably are. The backfile conversion data may be scanner output files, a bit more difficult or costly to use than the recent SF-86 data.

      OPM may never know enough detail about it to be sure, but over time will come pretty close. There is likely to be uncertainty about the status of those in process during the breach period, whether new or backfile conversion. Similar considerations probably apply to other types of clearance processing, for example National Agency Checks and National Agency Checks with Inquiries. OPM probably will notify everyone whose information cannot be shown never to have been digitized.

  4. Anonymous Coward
    Anonymous Coward

    ...and another one bites the dust.

    1. Anonymous Coward
      Anonymous Coward

      patronage at its finest, United States of Greece

      long after she should have

      1. This post has been deleted by its author

  5. Anonymous Coward
    Anonymous Coward

    poop throwing time

    Granted to many he was the lesser of two shitty choices each time but I didn't think an administration could hold its own people less accountable than Bush did until Obama came along. I think he actually thought his political hack buddy could weather the storm. Just showing once again neither party gives a damn about the country (this problem has been many administrations in the making), only their own power.

  6. Version 1.0 Silver badge

    Nice pension

    She's retiring - can't say I blame her, I'd do the same thing if I could afford it.

    But what boggles the mind is - just what in heavens name was this stuff doing connected to the Internet in the first place? Chances are it was some automated program at the NSA that took the stuff anyway.

    1. Anonymous Coward
      Anonymous Coward

      @ Version 1.0

      " just what in heavens name was this stuff doing connected to the Internet in the first place?"

      Applicants must file the SF-86 online using OPM's e-QIP website.

    2. tom dial Silver badge

      Re: Nice pension

      As noted, the paper SF-86 has been replaced by an application served from OPM. That is not a reason to for the database containing the data to be on a network attached to the internet. At my former agency (not OPM) we were exceedingly careful about Personally Identifiable Information leaks; this is the mother all PII compromises.

  7. Mark 85

    She needed to go....

    For one thing, everyone and their brother wanted interviews, to point the blame, etc. The new person will at least have a few weeks before the next sh**storm hits.

    And, this being politics, a head rolled. Congress will be happy as they found a scapegoat. The media will be happy and find the next "big story". The populace will fall back into a state of apathy and listening the politicos various ranting as it's "pre-election season".

    Why is it that with time, I gaining cynicism and not losing any like I lose my hair?

    1. Eddy Ito

      Re: She needed to go....

      Why? Isn't it a simple matter of having seen this show before? It's that whole 'fool me once, shame on you, fool me twice, shame on me' idiom.

  8. Anonymous Coward
    Anonymous Coward

    Sacrificial goat.

    (body)

    1. Destroy All Monsters Silver badge

      Re: Sacrificial goat.

      Meh!

  9. Anonymous Coward
    Anonymous Coward

    Look at her Resume

    A little thin.

    https://www.opm.gov/about-us/our-people-organization/senior-staff-bios/katherine-archuleta/

  10. Big Ed

    Banks Do It... Why Can't The Social Security Administration

    So if your credit card is stolen, banks will freeze the card immediately; and they issue a new card lickety split. If a Social Security Number is stolen the SSA yawns, and 21.5M people suffer the consequences.

    The conspiricy theorist in me wonders why.

    Laziness, cheapness, incompetence, stupidity, _______ - you fill in the blank.

    1. Eddy Ito

      Re: Banks Do It... Why Can't The Social Security Administration

      I think the only one you forgot is lack of planning. A Social Security Number is only nine digits so the theoretical maximum is a billion numbers of which several groups are either reserved or invalid, good luck getting a number starting with 666 for instance. Also about 450M numbers have been issued1. In short about half of the numbers have been used and the SSA states that they will not reuse any number. If they started handing out new numbers every time the gubbermint or some similarly incompetent private organization fucked the dog, they would have run out of numbers weeks months years or even decades ago.

      1. See Q19

      1. Big Ed

        Re: Banks Do It... Why Can't The Social Security Administration

        Eddy, why not make the number space bigger? Eventually the SSA will run out of numbers. Virtually the entire free world did it for Y2K. The world is doing it with IPV6. Tell me the SSA can't.

        Not all organizations that gave up personal info is incompetent; sometimes the criminals are smarter. Heck even RSA got hacked.

        Virtually every American has multiple credit/debit/ATM cards; how does VISA, MasterCard, AMEX, and Discover Card cope?

        1. Eddy Ito

          Re: Banks Do It... Why Can't The Social Security Administration

          Why? Simple, we're talking about the same SSA that has been struggling for years to keep it's systems updated. There's a reason they are so adamant about not changing things. Besides it will take the SSA fifty years to figure out how to expand the space without breaking existing code or mistaking a SSN for a credit card or telephone number. In the end it will wind up being an internal political war between the SSN+4 faction going against the HEXers a.k.a. 0xSSN faction.

          1. Big Ed

            Re: Banks Do It... Why Can't The Social Security Administration

            @EddyIto.

            I don't think you would get any arguments from many about the general incompetence of government bureacracies.

            And I don't think that anyone would argue that in the US that easily stealable SSNs contribute to stolen identities.

            Given these two factors, what would you propose to stop indentity theft?

  11. DerekCurrie
    Meh

    Encryption Expert Required

    Inquire OPM, US federal government

  12. Anonymous Coward
    Anonymous Coward

    Meanwhile...

    A "sexortionist" gets 105 years time for getting (~200) idiotic teens to choose to send him explicit pictures of themselves then blackmailing them, whilst the US OPM has merely lost her job and almost certainly faces no charges for negligence that amounts to potentially 21 million financially ruined lives. Justice, you gotta love it, eh?

    No doubt her parting words, as for every public servant in this situation, were: "I've done nothing wrong".

    1. Anonymous Coward
      Anonymous Coward

      Re: Meanwhile...

      At least that's one of the breaches of extreme proportions that ISIS won't move into...

  13. Destroy All Monsters Silver badge
    Trollface

    Getting serious

    Password rules : Should I disallow “leetspeak” dictionary passwords like XKCD's Tr0ub4dor&3

    Asked: Today

    I am the lead developer for an upcoming government website which will expose sensitive personal information (criminal history, SSNs, etc primarily). The website will be consumed by the general public, for doing background checks on employees etc.

  14. Harry Anslinger

    Cognitive Disconnect

    One arm of the US government - the NSA - conducts the most intrusive sweeping data intelligence gathering activities, targeting foreign governments (friendly and not), commercial interests (Petrobras et al.), and even American citizens.

    Another arm of the US government compiles and stores sensitive data on American citizens who work for Government agencies and the military and fails to implement even rudimentary safeguards to protect sensitive information.

    The FBI and other law enforcement agencies are purchasing Italian spyware to use in investigations, and they are asking for backdoors in encryption technology. Multiple law enforcement agencies are conducting extensive domestic surveillance using aircraft, automated license plate reading technology and tracking movements and communications of Americans without warrants.

    There are numerous reasons for patriotic Americans to question whether the US government is acting in our best interests and according to our values. It is evident that the government cannot be trusted with our data and it cannot be trusted with oversight. The wonderful thing about the Internet age is that it enables the people to take back their government in new and interesting ways. Americans are nothing if not inventive. I expect interesting times ahead.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like