During the week of June 8th, the Office of Personnel Management (OPM) announced that the records of all current and past US federal employees had been compromised. That includes standard employment information – address, social security numbers, etc – of over 4 million people ranging from a random forest ranger to US Cabinet members. (According to OPM, the President, Vice President, and Congress are not in these records but their staffs are.)
But it wasn’t until June 12th that OPM dropped the biggest bomb:
“The second OPM database that was breached contains sensitive background check information — called SF-86 data — that includes applicants’ financial histories and investment records, children’s and relatives’ names, foreign trips taken and contacts with foreign nationals, past residences and names of neighbors and close friends.” – source: Washington Post, June 12, 2015
If you’re not familiar with the clearance process, congrats.
But as a person who is, it is not hyperbole to say that this is catastrophic.
When most hacks occur – like Target or TJ Max – hackers get credit card numbers and can drain bank accounts, make fraudulent charges, and generally make someone’s life miserable.
Getting the SF-86 data is a whole other story.
When you’re applying for a job that involves any sort of security clearance, you have to fill out the SF-86 [download a pdf copy here]. In it, you have to give standard job-related information and then – to show that you’re not a security risk – provide information on the jobs you’ve had and the places you’ve lived for the past 10 years. This may include college information, legal issues, past drug use, relationships, and a variety of other things. Then you need to provide references for each of those places, jobs, schools, etc.
The goal is to determine if you are “reliable, trustworthy, of good conduct and character, and loyal to the U.S.” (That quote is from the top right column on the first page.)
So OPM (and sometimes your agency’s investigators) will use this information to learn everything about you and interview your references and research them to make sure they’re trustworthy enough to use as references. Then they ask the question:
Is there anyone else I should talk to?
Then they do the same one step further out and ask the same question. Their whole job is to find your dirty secrets, your problems, your issues, and then document the whole thing to assess you as a security risk.
And this is before the polygraph (if needed).
Now do you see the implications?
If someone just steals your identity, consider yourself lucky.
Stop and think about law enforcement and the intelligence agencies. There are the obvious ones that everyone thinks of – FBI, CIA, NSA – but there are literally dozens of others including but not limited to the Office of the Attorney General, Defense Intelligence Agency (DIA), Bureau of Alcohol, Tobacco and Firearms (ATF), Immigrations and Customs Enforcement (ICE), Drug Enforcement Agency (DEA), and even things like the Nuclear Regulatory Commission (NRC). Admittedly, that last one isn’t an intelligence service exactly but they still deal with sensitive information.
Whoever took this data has all the relevant information on anyone (and their families and their friends) who has received a security clearance. Not some. Not parts. ALL.
If you’ve ever pissed off a criminal, annoyed a foreign government, put yourself in a dangerous situation (like undercover), or are in a position to be pressured or threatened, you are screwed. And yes, that does include me.
Oh.. and the kicker. OPM says this happened in December 2014.
UPDATE: On June 17th, I wrote a follow on blog post to this called “OPM Background Check Hack – A Different Angle” that you should read too.