Real Life Identify Theft Hack – What it really means

Have You Been Exposed in a Hack? I Have…

Although many of you read about computer network intrusions and other hacking incidents, most remain unaware of actually being the victim of such activity. I have the unfortunate circumstance of having been a “victim” of the hacking of the U.S. Government’s Office of Personnel Management (OPM). You’ve probably never heard of OPM, but it houses sensitive data for millions of federal employees from the Department of Justice, the F.B.I., Homeland Security, some military personnel and many more.   For certain employees who need a security clearance, they must fill out of a long form (127 pages at last count) called Standard Form 86 – commonly referred to as SF 86 – containing the type of information that an individual would never want stolen by hackers much less enemies of the United States. As you’ll see from reading this article, the hacking of the U.S. Government’s Office of Personnel Management agitates us as yet another wake-up call for government and businesses alike. The attack by Chinese hackers began in late 2013 continuing through April of 2014 allowing hackers to vacuum up a treasure trove of data. If you follow this type of news, you’re likely not surprised by this latest network intrusion by Chinese hackers. A recent ArsTechnica article included a slide that NBC obtained showing over 600 recent computer intrusions linked to the Chinese government.

us-victims-of-chinese-cyber-espionage

As I mentioned above, I received a letter from OPM earlier this summer advising me that my information “may have been exposed.” It appears that comprised credentials of an OPM employee provided the pathway into OPM networks. Historically, the most valuable employee credentials have always been high-level executives or anyone in the IT department as they often have the cyber “keys” to the kingdom. Initial reports of the network intrusion by OPM estimated that 4 million employees had their sensitive data compromised. OPM has now revised their original estimate, admitting that more than 22 million employees may have had their information compromised. At first blush, the ordinary citizen might not make much of the news report. However, when you learn the breadth of information stolen and what federal employees it relates to – the incident becomes breathtaking.

So what type of information could be contained in that precious SF 86 (linked here) and who has to fill out one? The SF 86 would typically be filled out by a federal government applicant or employee who needs a security clearance to perform their duties. The critical point being that we are not talking about the hardworking administrative staff that powers many federal agencies, but more about counter-intelligence agents, law enforcement officials, attorneys and high level executives. After receiving my letter from OPM, I decided to go back and review what information I’d been asked to provide in my SF 86 to obtain my clearance level. Here’s what I found:

  • Name, date of birth, social security number, passport number
  • Every residence for last 10 years with name, phone # and email of neighbors
  • Employment information for last 10 years with supervisor’s contact information
  • Selective service number and military history
  • People who knew you well for the last 7 years with their email and home address
  • Family members (even if deceased) including mother, father, siblings and in-laws with their d.o.b and where they were born
  • Any foreign financial interests including the cost of acquisition and current value
  • All foreign travel for last 7 years including where you went and how long you stayed
  • Psychological & Emotional Health history for the last 7 years including the name of the doctor, the doctor’s phone number and the dates treated. Strictly marital, family or grief counseling is excluded
  • Any previous securities clearances and for which agency
  • Any financial problems relating to bankruptcy or gambling
  • Any association with groups that support terrorism or overthrow of the U.S. Government

And finally, it’s all sworn to under penalty of perjury along with the relevant criminal code citation! If it’s a crime for me to fail to disclose something in the form, shouldn’t there be consequences for them disclosing it?

What should we make of this startling lack of cyber-security from our own government. Sadly, there are many takeaways. The cost to hackers and foreign governments to obtain this type of information remains negligible in comparison to the potential benefit they receive from it – a profile and roadmap for high-level sensitive government employees that can be used to socially engineer or blackmail these individuals for political or monetary gain.

Why should you care? Naturally, the compromise of one’s privacy resonates with most people over the age of 30. Beyond that nebulous concept though, many valid reasons exist. Our 21st century economy largely depends on intellectual property, trade secrets and confidential business information. Do you run a business that relies upon something others don’t have such as a client list, specialized know-how, business plans or privileged information? If yes, then it affects you. Remember, this incident is but one by Chinese hackers and doesn’t even contemplate other foreign interests, domestic hackers, competitors and flat-out cyber criminals. The intrusion represents more than a proof of concept and registers as a shot across the bow delivering the message that our institutions remain unsecured. For businesses that rely on sensitive data, this serves as another reminder to take steps to secure your most valuable assets.

So listen to the wake up call and don’t hit that snooze bar…