back to article Victims of US gov't mega-breach still haven't been notified

Nearly three months after the US Office of Personnel Management (OPM) discovered its databases had been compromised by Chinese hackers, the government still hasn't notified the employees and contractors affected by the breach. On Tuesday, the OPM said it planned to start the process of informing victims "later this month," and …

  1. Mark 85

    Such a bargain....

    21.5 Million people (not counting covered dependents) get this wonderful service. Unless I messed up the numbers into calculator, that breaks down to $6.19 (US) per person for the three years or $3 and change (US) per person per year. How good can the contractor be? Other companies charge considerably more. Or are they hoping that many folks won't take them up on their "services"?

    <sarc> As side note.. it's rather amazing how fast the government is moving to even start notifying people. </sarc>

    1. Anonymous Coward
      Anonymous Coward

      Re: Such a bargain....

      Well, considering that government and efficiency are rarely found together in this known universe, they really are moving at a much faster speed than usual. A contractor appointed this quickly? Months rather than years? The mind boggles. [Which leaves me also suspicious of the service as well.]

      Gee, this time I'll get an actual letter. When the (possible) breach on the Veterans Administration (every damn) medical records via a stolen laptop, the only notifications came via the press. Then again, the VA regularly sends me pamphlets saying any official anywhere, and I kid you not, can access them anytime. Government and sense not often found in this universe together either.

    2. Eddy Ito

      Re: Such a bargain....

      Seeing as it's government, they probably haven't figured out who they need to notify or if the list is still growing.

  2. Julian Bond

    Fix the systems that allow identity theft to happen?

    A big part of the problem here are the systems that allow the identity theft to happen because they treat things like SSNs as a secret that authenticates rather than just identifies.

  3. Pascal Monett Silver badge

    Standard Form 86

    Among the data that is thought to have leaked are records of Standard Form 86, an exhaustive questionnaire designed for people who are requesting security clearances

    Well it looks like that's all the hackers needed then. Jackpot for them.

    Now all the government's got to do is create an ITB - Identity Theft Bureau. Because it's gonna take a whole new Bureau to deal with the fallout on this one.

    1. Julz

      Re: Standard Form 86

      FYI

      https://www.opm.gov/forms/pdf_fill/sf86.pdf

  4. Anonymous Coward
    Anonymous Coward

    And how are they protecting against leverage?

    The worst part of the OPM breach is that it provided the intelligence of who to blackmail for government information, and by what means. I hope they have a large budget set aside for protecting the people they exposed. None of them asked for that Valerie Plame treatment.

  5. Kepler
    Unhappy

    Just how far back does this go?

    According to the OPM Web site linked at the end of the article:

    "If you underwent a background investigation through OPM in 2000 or afterwards . . ., it is highly likely that you are impacted by the incident involving background investigations. If you underwent a background investigation prior to 2000, you still may be impacted, but it is less likely."

    Obviously it doesn't say how much less likely.

    Has anybody here learned from any other source just how far back it might go? Is there any known year before which one can be pretty-much certain that one's data would not have been part of the breach?

    (I'm guessing that a person who submitted a now-discontinued SF-171, by hard copy only, rather than the newer SF-86, probably has nothing to worry about. Unless of course old SF-171s were at some point scanned by OPM and then made available electronically within OPM's internal database.)

    1. tom dial Silver badge

      Re: Just how far back does this go?

      It is reasonable to assume that it goes back to the earliest SF-86 or similar form completed by any employee in active service at the time eQIP was deployed in 2003. The uncertainty for others would relate to the probable fact that OPM was scanning and possibly doing OCR on a resources-available basis for earlier forms that those no longer in government service submitted. It is not announced whether they worked forward from the oldest paper forms or backward from the newest. Whether a hard limit would exist would depend significantly on the legal retention requirements that govern disposal, something that varies by document type. My recollection is that military payroll records must be retained well over 40 years, partly because of the complexity of military retired pay laws.

      For what it is worth, exposure of SF-86 type data for most people would not be nearly as dire as generally portrayed in the press. The document does not contain much financial, medical, or criminal history data unless there is something significant, and most of the questions concern events in the last 7 years, although some of them ask about "EVER". Submission, however, includes a number of releases allowing the government to ask financial and medical institutions and law enforcement agencies for more; however, most who would be eligible for a position of public trust or security clearance would not have a lot that would facilitate blackmail, and those who omitted significant matters from the questionnaire would be relatively unlikely to gain the status requested, although it could happen as various home-grown spies have shown from time to time.

      The SF-171 contained basic data similar to the SF-86 but significantly less extensive and could have been used as the starting point for a background investigation. Ordinarily was not, and an applicant for a classified position would be required to complete the more extensive SF-86 or similar document.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like