OPM hack: Vast amounts of extremely sensitive data stolen

Register for the upcoming webinar: Top 6 Security Needs for APIs and Serverless Apps

The extent of the breach suffered by the US Office of Personnel Management has apparently widened.

Reports are coming in that the hackers have not only accessed Social Security numbers, job assignments, performance ratings and training information of some 4 million current and former federal employees, but also the Standard Form 86 of as many as 14 million employees.

The SF-86 is a form that every federal employee aspiring to a national security position has to fill out.

127 pages long, the questionnaire is used by the US government to conduct background investigations and evaluations, and contains information about themselves, their passport, citizenship, schools, past residences, employment activities, military history, people who know them well (friends, peers, colleagues, college roommates, associates, etc.), marital status, relatives, foreign contacts (including foreign government contacts), foreign activities (including business activities), foreign travel, psychological and emotional health, police record, illegal use of drugs and drug activity, use of alcohol, financial records, association records, and more.

If this information has been stolen by hackers backed by the Chinese government, as it is apparently believed by people close to the investigation, this means that the have in their possession information that can potentially be used to blackmail US government employees, but also to discover the people they know or are related to in China.

Joel Brenner, a former top US counterintelligence official, explained the problems that this stolen data may bring: “This tells the Chinese the identities of almost everybody who has got a United States security clearance. That makes it very hard for any of those people to function as an intelligence officer. The database also tells the Chinese an enormous amount of information about almost everyone with a security clearance. That’s a gold mine. It helps you approach and recruit spies.”

Not to mention the fact that all this private information can be used to mount extremely personalized phishing attacks.

The fact that the info has not been stored in encrypted form has also angered federal employees, who rightly expected the US government to protect it.