Contractors in Argentina and China were given “direct access to every row of data in every database” when they were hired by the Office of Personnel Management (OPM) to manage the personnel records of more than 14 million federal employees, a federal consultant told ArsTechnica.
massive breach of OPM’s database — made public by the Obama administration earlier this month — prompted speculation over why the agency hadn’t encrypted its systems, which contain the sensitive security clearance and background information for intelligence and military personnel.
Encryption, however, according to Ars, would not have helped in this case because administrators responsible for managing these records had root access to the system, Department of Homeland Security Assistant Secretary for Cybersecurity Dr. Andy Ozment testified yesterday at a 2-hour hearing before the House Oversight and Government Reform Committee.
And it turns out that a systems administrator responsible for handling the agency’s records “was in Argentina and his co-worker was physically located in the [People’s Republic of China],” a consultant who worked with an OPM-contracted company told ArsTechnica.
“Both had direct access to every row of data in every database: they were root.”
Experts and politicians are now lambasting the US government for the way agency handled IT security.
“OPM is right in general that encryption is not magic security butter,” Dave Aitel, CEO of cybersecurity firm Immunity, Inc., told Business Insider. “But the committee is also right in that OPM was massively negligent.”
All told, 65% of OPM’s data was stored on systems lacking proper security certification, Ars reports, meaning the data was vulnerable to far more people than just those with root access and valid login credentials.
“They [the unsecured systems] were in your office, which is a horrible example to be setting,” House Oversight Chairman Jason Chaffetz (R-Utah) told Archuleta during the hearing.
“OPM’s data security posture was akin to leaving all your doors and windows unlocked and hoping nobody would walk in and take the information,” Chaffetz added.
The OPM IT team frequently outsources its work to foreign contractors working in their home country. Those holding Chinese passports are no exception.
“Another team that worked with these databases had at its head two team members with [People Republic of China] passports,” the consultant told Ars. “I know that because I challenged them personally and revoked their privileges.”
“From my perspective, OPM compromised this information more than three years ago,” he added. “And my take on the current breach is ‘so what’s new?'”
In fact, the breach was unprecedented in its breadth and scope: “Security-wise, this may be the worst breach of personally identifying information ever,” Michael Borohovski, CEO of Tinfoil Security, told Business Insider on Friday.
Federal employees and contractors who want government-security clearance have to disclose virtually every aspect of their lives via a 120-page SF 86 questionnaire, which is then stored on OPM’s unencrypted database.
Experts fear the stolen information could be used by the Chinese government to blackmail, exploit, or recruit US intelligence officers, compromising the success and safety of agents operating at home and abroad.
Business Insider Emails & Alerts
Site highlights each day to your inbox.