Hackers Steal Personal Information of US Security-Clearance Holders

The article says they were Chinese but offers no evidence:

The intrusion at the Office of Personnel Management was particularly disturbing because it oversees a system called e-QIP, in which federal employees applying for security clearances enter their most personal information, including financial data. Federal employees who have had security clearances for some time are often required to update their personal information through the website.

This is a big deal. If I were a government, trying to figure out who to target for blackmail, bribery, and other coercive tactics, this would be a nice database to have.

Posted on July 17, 2014 at 6:09 AM • 34 Comments

Comments

Bob S.July 17, 2014 6:16 AM

Not to worry, just a routine NSA sweep.

I've suspected for years a least some of the larger intrusions of personal data were simply government exercises to feed data bases. They were too good, too big, too simple and more importantly nothing bad ever happened (that we know about).

I cannot prove it, also.

Further, I deny I ever said it.

Mike the goatJuly 17, 2014 6:17 AM

It is indeed a worrying development as we know from previous experience that the lowest hanging fruit are already authorized persons who can be 'got to' via various means, whether that be via coercion or even other more esoteric social engineering tactics.

They have to know that their practice of public-private partnerships/outsourcing to civilians is an inherently risky thing to do anyway, so you'd think that this kind of information would be very well guarded... well, that was what I'd assume, anyway :)

uh, MikeJuly 17, 2014 7:20 AM

Among those who are not allowed to see the data are most Federal agencies. Only the Defense Investigative Agency is normally allowed to know. So if the USA wants to know secrets about their cleared employees, they could now steal it from the (?) Chinese.

SOC BubbahJuly 17, 2014 8:07 AM

Not to sound like Chicken Little, but just looking at the information on my e-Qip form, there's a lot more in the database than the NYT reports. For starters, I'm not, nor have I ever been a federal employee. So, the scope is actually anyone who has, or has applied for a clearance. That means contractors too. The header of each of the 37 pages on my form has my Social Security Number. In the document you will find the SSN's for my ex-wife, son, and current girlfriend. Other tidbits include the Naturalization numbers for my mother, ex-wife, and girlfriend. Full names, and contact information for people who've known me at the places I've lived for the past ten years. Same for employers. Living in the DC Metro area, many of my references, both personal and professional, have clearances, so they each have the same form in the database. The only financial information asked for in the version I have had to do with accounts that were past due or in arrears, so the typical bank account, credit card, mortgate, and car loan stuff isn't in the form.

In short, this is considerably more serious than meets the eye, and frankly, I'm surprised that it's getting less play than local little league scores. Maybe I'm overly worked up because my data is in there too.

65535July 17, 2014 8:20 AM

The article contains a lot of commentary and unnamed sources. I get the feeling that this is a spin job to show the need for more NSA surveillance powers - in light of recent disclosures.

JohnJuly 17, 2014 8:30 AM

@SOC Bubbah

Your not overly worked up. What you left out is the info you give them never gets removed from that database, even inactive clearance info stays in the system forever.

Brian BJuly 17, 2014 8:31 AM

The use of the name e-QIP in this article is fluff. Nothing in the article states that e-QIP or any other database was compromised. At this point, the article states that the intruder(s) gained access to the OPM network.

Yes, if e-QIP is compromised, it would be disastrous as it contains billions of records for both Americans and foreigners and their relations. However, it's a bit premature to pull out the umbrella for the falling sky.

CallMeLateForSupperJuly 17, 2014 8:50 AM

I have been out of govt. circulation for a while. So form DD 398, Statement of Personal History, fell out of favor in the mean time? ;-)

I just pulled out a copy of the one I filled out and submitted in 1967. A walk down memory lane.

cjyarJuly 17, 2014 11:09 AM

It's my understanding that the e-QIP database has more info than what the applicant puts on his/her form. Security clearance background investigations include interviews with the applicant's associates, credit checks, employment and education verification, and probably other data as well. I believe all of that information ends up in the same database.

So, @SOC Bubbah, if the hackers really got that database, they may know things about you that you don't know yourself.

cjyarJuly 17, 2014 11:14 AM

It's standard practice to list references who also have security clearances. We self-select people who are cleared and who know us well. Seems like a great dataset for some social network analysis.

Supposedly the Soviets did this during the cold war: If they could figure out that a DARPA program manager, a radar expert, and a cryptographer were all recent acquaintances, it would tell them something interesting.

jbmoore61July 17, 2014 11:29 AM

It's a very big deal. Not just federal employees, but federal contractors have to submit eQUIP paperwork for a lot of federal positions. I had to list former residences, all my immediate family, their birthdates, places of birth, and known addresses and contact information, employers out to 10 years, and foreign people I'd been in contact with. It's a great database to use for identity theft. Thank you OPM. I guess I'll expect a letter in the mail soon.

Slime Mold with MustardJuly 17, 2014 12:31 PM

"If I were a government, trying to figure out who to target for blackmail, bribery, and other coercive tactics, this would be a nice database to have".

Oh, it's so much better than that. Just knowing that Dr. John Jacob Jinglehimer Schmidt, University of North Barrow, and expert on "Ghoulish action at extreme range" has gotten a clearance is revealing and opens an avenue for investigation. Helpful details included.

HermanJuly 17, 2014 2:08 PM

This is exactly my beef with the spooks. The NSA and GCHQ are leaky sieves. Now if Snowden and others could walk away with gigabytes of data from the NSA, then the rest of the US gov must be leaking metric tons of bytes.

k9July 17, 2014 4:30 PM

Where is the "something weird is going on" registry, and who has the qualifications to be trusted as its admin?

All OutJuly 17, 2014 10:16 PM

Gee, I feel so bad that the poor NSA technicians had their privacy all deflowered and now some guys are laughing at detailed reports of what they did on their last big bender just before they booted and fell down the stairs, and at their smoove sexting skilz and the pictures of their 40th-percentile ding dong they sent to that hot secretary in TAO, to no avail, and their 412 FICO score. How tragic it would be, if that went up on Infotomb. My heart would just be breaking with sadness.

chrislJuly 18, 2014 1:09 AM

e-QIP is used for essentially all federal employees, as well as contractors who need long term access to federal facilities or information systems, as well as anybody who needs a security clearances. You fill out different information (SF-85, SF-85P, SF-86) depending on whether you're in a non-sensitive position, a sensitive position (e.g. have access to personnel information), or need access to classified information.

A related loss occurred in March 2012 when a laptop was stolen from a NASA employee's car, along with some printed records. It contained at least the default answers to the "golden questions" used to get intial access to e-QIP or if your access has to be reset (not unusual if you only access it every ~5 years or so). It may also have contained information from the e-QIP records for NASA employees and contractors- they didn't announce in detail what was on it, but the impression from various sources is that it was from a security person who might have had the records to do adjudication (i.e. determine whether people could get a NASA PIV-II badge or not), which would imply e-QIP records.

Coyne TibbetsJuly 18, 2014 3:35 AM

Some time ago, there was a scandal at NSA (or was it OPM?) because security clearances were contracted out, and the contractor never bothered to actually vet the applicants.

So security clearances seem to be of little value to NSA (the whole government) because no one is actually vetted anyway.

But now that China stole the list, it looks like: The whole reason we give people clearances is to...provide China with a list of cleared people.

What an odd country we are.

StarChildJuly 18, 2014 11:00 AM


from the article:
But in this case there was no announcement about the attack. “The administration has never advocated that all intrusions be made public,” said Caitlin Hayden, a spokeswoman for the Obama administration. “We have advocated that businesses that have suffered an intrusion notify customers if the intruder had access to consumers’ personal information. We have also advocated that companies and agencies voluntarily share information about intrusions.”

Because when a foreign intelligence agency hacks into your systems and the FBI is called in, it is always the best move for a counter intelligence investigation to tell everyone what you found.

Reality is: state based hacks are notoriously squashed for government counter intelligence purposes. This is true for any government. So you can expect that Russia and China know a lot more about American hacking activities then they let on, just as America knows a lot more about Russian and Chinese hacking activities then they let on.

This includes businesses, infrastructure. We just got an article out today about how the nasdaq was hacked by the Russians years before.

I have frequently heard of state sponsored hacks from peers over the years which have not - and may never - make it to the news.

This is bad for corporate security, because they have no idea what their risk and threat is.

To a lesser degree, even non-state sponsored attacks are not publicized. So, you have to get the numbers from yearly reports by companies like Trustwave and Verizon Business Consulting.

As these numbers are very likely tallied by the federal agencies which investigate them, why do they not at least publish anonymized data? Go to any infragard show at any conference and hear about stories you will not hear in the news.

I view it as a sort of egomaniacal secrecy retardation syndrome. They keep secrets as a part of their lifestyle, where most of those secrets are entirely meaningless. But, when they can find secrets that would do well for people to know, they are delighted because then that justifies their secrecy... addiction? Obsession?


Tommy McGuireJuly 18, 2014 11:49 AM

e-QIP is just the tip of the iceberg. OPM is essentially the human resources department for the federal government. They're responsible for everything from HSPD-12 badging for essentially everyone directly or indirectly employed by the federal government (which uses e-QIP, I believe) to www.usajobs.gov.

Nick PJuly 18, 2014 12:05 PM

@ StarChild

It's similar to the point I made to AnonymousBloke recently about the number of countries and personnel attacking us vs what appears in the news. Many of these countries are either very stealthy or their activities are censored to some degree. Regardless, this part I disagree with:

"This is bad for corporate security, because they have no idea what their risk and threat is."

Many state-sponsored and black hat attacks *are* published to the point that anyone following the news knows we're under constant attack. The methods these attackers use are also often published. The US government (and others) also publish guidelines for how to defend information systems. If anything, businesses know there's risk but are ignoring it for the bottom line.

Same reason they ignore most risks. ;)

name.withheld.for.obvious.reasonsJuly 18, 2014 12:58 PM

@ Nick P

You should ask Mike Rodgers (an idiot on the house intelligence committee--forgive me if I laugh) what constitutes an attack. I am sure an ICMP echo is one type of packet that is included in their report...

He, Rodgers, also made statements that we, meaning government, are attacked 30 million times a month. This type of statistical abuse should come with a plenty. Like a suit suggesting that Rodgers is guilty of misrepresenting the facts whilst holding a position of responsibility...it's not like he was commenting on a blog about Miley Sirus (sp?). Rodgers has made similar statements on multiple Sunday shows, on multiple Sundays. The press (more specifically the media) is crap, or culpable, when it comes to holding these people responsible for what they do...are these people (media/government) in receipt of paychecks? If they are then it is fraud, at a minimum it is professional misconduct. Rodgers uses his office to make these statements, is he not responsible for what he asserts...these are official, not off the record, statements and it appears that anything (the Martians' are in control of the media) can be asserted without consequence.

StarChildJuly 18, 2014 4:02 PM

"Many state-sponsored and black hat attacks *are* published to the point that anyone following the news knows we're under constant attack. The methods these attackers use are also often published. The US government (and others) also publish guidelines for how to defend information systems. If anything, businesses know there's risk but are ignoring it for the bottom line."

Companies are far from having actuarial type data which they can utilize to produce funding for security. What they have to rely on, instead, is a news drip of very selective stories to try and make their cases.

And, like the Wall Street of old, there is remaining extremely poor regulations for even infrastructure companies.

If you want to find out how many banks have been robbed, and even how, no problem. There are statistics for this released by the government. If you want to find out the number of homicides in a city, you have that. If you want to get the numbers on how many car crashes have happened, and where, there is this data as well.

You can consult tables of constantly updated data to understand your chances for death concerning a vast many factors.

But, if you want to find this data for computer security, you can forget about it.

You are bound to rely on sparsely revealed details, if at all, making this data incredibly incomplete.

It is better now then it was five years ago, and much better then it was eight and ten years ago. But, the situation is still grim.

The point is when it comes to computer crimes: the data is deeply lacking.

You can not rely on headline news stories for such data. That helps. But it is inaccurate. So, companies often have to rely on data from their own honeypots, data from their firewalls, for funding.

They have to rely on data published by firms who have a vested interest in publishing that data. This means that data can not be well trusted. Because it is corporate sponsored data by companies selling products.

As for companies relying on their own data: I can not say how weak that is. Many companies do not even attempt to quantify that data. They remain deeply understaffed and deeply underfunded. And even where there is funding and staff, they are working blind.

EvanJuly 18, 2014 4:02 PM

It occurs to me that if the NSA wasn't so busy compromising cryptographic security standards and gathering databases of information on American citizens, they might actually have some man power to help ensure government systems are more secure against intrusion - which is, you know, their actual job.

Nick PJuly 18, 2014 5:10 PM

@ Evan

Their main job is getting data out of anything that's powered by electricity (SIGINT/ELINT). The protection of government systems is a side job and most of it is worded toward COMSEC, not INFOSEC. So, they're mostly doing their job as it's defined. It's why I tell people their mission is the problem.

Nick PJuly 18, 2014 5:38 PM

@ StarChild

I see your point now. There's definitely a shortage of hard data on computer crime. I'd like to see that change. Dare I say, though, that data might not even be very helpful as attackers go for weakest link: using the data to justify funding to defend against data-supported weaknesses just means the attackers hit something different next year. So, I'm not sure how valuable it will be other than telling us about the losses or giving some data on the effects of specific defense trends on specific attacks. Neither is a measure of how secure an organization is. Having a malicious actor targeting a company rather than mere accidental compromises changes the situation quite a bit.

That's why I advocate an approach that looks at assets, looks at risks, and tries to devise ways to protect the assets. We have a long string of books, government reports, news, evaluations, Black Hat briefings, and so on telling us where the problems are. Most of it is at the endpoint, a lack of network protection hurts, social engineering abounds, and employees activities within business processes can also cause problems. There are methods and frameworks to deal with these. Some, like whitelisting + patching, would've stopped 75% of "APT" attacks according to Australia's NSA (DSD). Both of those can be had for free, btw.

So, I maintain companies just aren't trying. I mean, look at Sony's Playstation Network failure: they were running the service on systems without a firewall running an Apache that went over six months without patches applied. These are both security measures that companies actually know about. Leads to other explanation that they don't care.

"And, like the Wall Street of old, there is remaining extremely poor regulations for even infrastructure companies."

This is another problem. It's connected to my point about them not caring. For-profit companies are externalizing machines. The more cost they can get rid of, the more profit. So, they need an incentive (fines or profit) to take care of these things. Schneier discussed liability here along with alternative views in the comments. I'll add that the only time the market produced strong security was in Orange Book days when passing a high security evaluation was required to make sales for classified networks. A similar thing happened [and is happening] for safety with DO-178B and similar standards.

Note: I think a set of clear standards and goals (rather than specific methods) combined with an evaluation is preferrable to liability laws that involve's lots of private parties suing each other. That just leads to the roachfest Marcus Ranum worries about where the lawyers are the main winners.

@ name.withheld

I'm never sure if they're stupid or just profitably going with the flow of the corruption on INFOSEC/cyberwar. For instance, the main reason the banks don't worry about increasing security significantly is because they paid Congress to pass laws minimizing their liability. We also know they're under pressure to go with the cyberwar stuff as there's billions in contracts on the line which will benefit their re-election and their districts. I'm also guessing there's push from other campaign contributers against things like strong security requirements or liability legislation. So, in a pervasively corrupt republic, anyone taking such a stance is doing the smart thing for their personal gain, possibly their state (jobs), and their customers, err, contributors who care strongly about our country. ;)

StarChildJuly 18, 2014 7:18 PM

Nick P


"Just try harder" or "try smarter"?

How can you try smarter with such disparate and incomplete data sets?

Consider some of the data sets:

- your own company's sensor systems
- major consulting companies and their yearly, anonymized reports
- honeypot networks (are these truly diverse and sufficiently random to provide realistic data, for instance, can attackers profile these systems, are there realistic honeypots in use that realistically simulate a diverse pool of attackable systems?)
- sensor (firewall/WAF/IPS/IDS/HIPS, etc) companies and the data they collect, then anonymize to make proprietary rulesets
- a wide variety of government agencies who often bonk their heads together in turf battles and secrecy
- journalism, latest news reports, which are often rife with errors, intentional and unintentional
- the extraordinary number of attacks and the extraordinary nebulous manner of sourcing attacks
- the politics and turf battles involved in sourcing/attribution of attacks
- the extraordinary difficulty of human sources, a matter which has changed the shape of modern human intelligence... now cover agents and access agents can work global networks around the world, but who is bullshitting, and who is legit, and who is somewhere in between because of assumptions
- the secrecy required during investigations, both criminal and counterintelligence
- the nebulous form of attribution with computer attacks: in the NASDAQ attack the source was previously confirmed as "FSB" code. But, the article also points out somehow "Chinese cyberspies" were using the very same code. You can (or maybe not) only steal other countries code and use it on your own country's behalf, but you can also compromise their systems and appear to be coming from their networks.
- the nebulous form of attribution, on persons involved. Consider the Mandiant Chinese cyberspies big case of a few years ago. Ultimately they relied on such things as apparently accidental social network posts. Ever seen the documentary "talhotblond"? Even untrained middle aged women (or men) can easily pose as about anyone they want to. Much less intelligence agencies with decades of experience creating iron clad legends for individual agents and organizations alike.

Any one of these points is daunting. Consider, for instance, the "politics" angle in these reports.

Do you really believe this recent NASDAQ report release timing was random? Are you sure the disillusioned, governmental source was who they claimed to be to the reporter?

As you sound like you get around, like me, for every year you are in "this industry", you probably hear more shocking stories about unreported compromises told to you in confidence online and at conferences.

And, if you work in either government or corporate (or both), I am sure you are very familiar with the continuing and daunting problem of getting funding that is required. You are probably also used to hearing from vendors and others who get around with various companies about how "such and such sort of organization" is abysmal at computer security.

Refineries are mentioned in the article. Do you recall the Texas City refinery explosion of a few years back? These guys were working consecutive, non-stop shifts with very little sleep. They hardly have been spending proper time and resources on computer security. The same could be said for so many of these infrastructure companies.

Which, one might add, means that there is an enormous amount of technical knowledge required in the field. There is an enormous number of areas one must study and master. While these areas may be trivial seeming to you or me, you know it is far from trivial from very smart people who just happen to work in entirely different industries and simply have not dual mastered so many fields.


SteveJuly 24, 2014 7:33 PM

@NickP "Many state-sponsored and black hat attacks *are* published to the point that anyone following the news knows we're under constant attack."

Hell, anyone who knows how to read a log file on any system connected to the Internet should know they're under constant attack by anyone from pimply faced script kiddies to nation-states trolling for open databases.

MarkJuly 22, 2015 4:30 PM

So I was a federal contractor for 4 years and had to fill out all that paperwork exposing every juicy tidbit of my life and those closest to me. Are we just screwed now or is our government going to do something to assist those whose personal information they failed to protect?

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.