Since the U.S. Office of Personnel Management announced a pair of network breaches this month, Michael Brown, a former admiral in the U.S. Navy, has waited for the notification that his sensitive personal information was stolen in the breach.
While the Office of Personnel Management estimated that attackers had stolen the employment and insurance records of some 4.2 million government employees, officials still did not know the extent of a second breach the agency disclosed in mid-June in which attackers apparently gained access to a sensitive database storing the results of the background investigations required to gain clearance for sensitive government positions.
A preliminary estimate, based on the Social Security numbers in the database, estimated that the personal details of 18 million people were stolen in the attack that the Obama Administration linked to China.
While Brown, now a vice president for security giant RSA, is concerned what the attackers might do with his information, more worrisome is what they might do with the information of people who failed to get a security clearance, he told eWEEK.
"I worry about those folks over the many years who have not received a clearance, they are a prime target," he said. "Because the rationale for them not to get clearance—whether they are still in government or not—the evidence is in that database, and I think that is a major risk for us right now." Details of arrests, drug use, infidelity and poor finances would likely be top targets, Brown said.
The issue underscores the unanswered questions that remain nearly a month after the OPM announced the first of the breaches. The initial breach underscored that a federal agency that knew it was under attack by apparent Chinese attackers could not defend itself. Details of the second attack, however, made the breach a national security issue, according to security experts.
Federal job seekers fill out an in-depth questionnaire, known as Standard Form 86, when they apply for a job requiring a security clearance. In addition to the document, however, investigators compile their own dossier on the applicant, known as an adjudication.
Investigators believe that both sets of data have been compromised, a number that preliminary investigations indicate could be at least 18 million, although Katherine Archuleta, director of the OPM, emphasized that no official estimate has yet been released.
"It is not a number that I feel comfortable, at this time, represents the total number of affected individuals," she said in a statement delivered to the U.S. Senate Committee on Homeland Security and Governmental Affairs on June 25.
The breach will have a significant impact on U.S. government workers and U.S. national security, security experts said. "Is OPM about as bad as it can possibly be? No, it's worse. The Chinese know [now] everything the [government] learned," a security expert known as The Grugq summed up.
The Office of Personnel Management has been struggling with modernizing its systems, and securing those same systems, for more than a year. In March 2014, the agency discovered a major breach of its systems, and while it claimed no data had been stolen, it pointed the finger at Chinese hackers.