Updates on OPM breach(es)
Some bits ‘n pieces of the follow-ups on the OPM hack…
Malia Zimmerman reports:
In addition to data from the OPM breach, Roberts said a new OWL search has uncovered another 9,500 government log-in credentials stolen this week from a variety of county, state and federal agencies across the nation, for everything from the Obamacare site, Healthcare.gov, the Internal Revenue Service, the U.S. Census Bureau, and U.S. Court System to the Child Support agency and Unemployment Agency in Ohio.
Read more on FOX News
And Andy Greenberg reported:
At first, the government said the breach exposed the personal information of approximately four million people—information such as Social Security numbers, birthdates and addresses of current and former federal workers. Wrong.
It turns out the hackers, who are believed to be from China, also accessed so-called SF-86 forms, documents used for conducting background checks for worker security clearances. The forms can contain a wealth of sensitive data not only about workers seeking security clearance, but also about their friends, spouses and other family members. They can also include potentially sensitive information about the applicant’s interactions with foreign nationals—information that could be used against those nationals in their own country.
What’s more, in initial media stories about the breach, the Department of Homeland Security had touted the government’s EINSTEIN detection program, suggesting it was responsible for uncovering the hack. Nope, also wrong.
Read more on Wired.
You may have seen earlier news reports that OPM’s hacked database was up for sale on the dark web, but Brian Krebs says it’s not true:
A database supposedly from a sample of information stolen in the much publicized hack at the Office of Personnel Management (OPM) has been making the rounds in the cybercrime underground, with some ne’er-do-wells even offering to sell it as part of a larger package. But a review of the information made available as a teaser indicates that the database is instead a list of users stolen from a different government agency — Unicor.gov, also known as Federal Prison Industries.
Read more on KrebsOnSecurity.com.
And finally (for now), if you’re affected, your notification letter is coming. Seth Robson reports:
The Office of Personnel Management plans to soon notify federal employees whose personal information was hacked in a massive data breach that was discovered earlier this month.
The hackers, who unnamed U.S. officials say have ties to the Chinese government, appear to have breached the computer system run by OPM, with the personal information of up to 14 million government and military employees possibly compromised, according to The Associated Press.
Read more on Stars and Stripes.