Administration Caught Lying About OPM Hack Again, May be 4x Larger Than Reported

computer keyboard
AP Photo/Damian Dovarganes

In today’s “OMG THE OPM HACK GETS EVEN WORSE!” update, we learn that the Obama Administration knew the data breach was far worse than originally reported. As is customary, they lied about it to keep the initial news cycle under control.

The 4.2 million affected federal employees admitted by the Office of Personnel Management was headline news, but it was ultimately possible to distract the public from it.

What if we’d known from Day One that the real number is more like 18 million current, former, and prospective federal employees, as CNN reported on Monday night? Just the other day, Administration flacks were whining that the 14 million worst-case number floated by some security analysts was exaggerated; now it looks like that was a lowball estimate.

And what if even that number had been reported with the advisory that it was likely to grow?

FBI Director James Comey gave the 18 million estimate in a closed-door briefing to Senators in recent weeks, using the OPM’s own internal data, according to U.S. officials briefed on the matter. Those affected could include people who applied for government jobs, but never actually ended up working for the government.

A closed-door briefing for Senators, but the people whose lives could actually be destroyed by these hackers are left to twist in the wind for additional weeks of precious time. CNN notes that, to date, only the 4.2 million targets officially acknowledged by OPM have been notified their identities are at risk. America has suffered an act of war, but this White House remains more interested in keeping it quiet than dealing with it.

Some details of such an attack must be kept confidential to aid in the investigation, but it’s hard to see how keeping the scope of the breach under wraps for a few extra weeks served any security interest worth leaving the victims vulnerable to identity theft. It served useful spin purposes, however, and now it’s time for “U.S. officials” to leak the truth to CNN.

As for the investigation into the hackers’ methods, it sounds like a classic Obama-era clown show, with different agencies trying to cover their posteriors by offering conflicting theories of how the hack was accomplished:

The same hackers who accessed OPM’s data are believed to have last year breached an OPM contractor, KeyPoint Government Solutions, U.S. officials said. When the OPM breach was discovered in April, investigators found that KeyPoint security credentials were used to breach the OPM system.

Some investigators believe that after that intrusion last year, OPM officials should have blocked all access from KeyPoint, and that doing so could have prevented more serious damage. But a person briefed on the investigation says OPM officials don’t believe such a move would have made a difference. That’s because the OPM breach is believed to have pre-dated the KeyPoint breach. Hackers are also believed to have built their own backdoor access to the OPM system, armed with high-level system administrator access to the system. One official called it the “keys to the kingdom.” KeyPoint did not respond to CNN’s request for comment.

The latter narrative, that OPM was compromised a long time ago by Chinese agents who got their hands on valid administrator credentials, is consistent with other reports we’ve seen over the past few days.

Administration officials are now conceding to a danger warned about in this space previously: penetration of the government’s security clearance database will set up a huge number of secondary targets for the hackers. “The actual number of people affected is expected to grow, in part because hackers accessed a database storing government forms used for security clearances, known as SF86 questionnaires, which contain the private information of multiple family members and associates for each government official affected, these officials said.”

CNN mentions the growing heat on Capitol Hill – not all of it emanating from Republicans, who are usually the only ones who care about getting to the bottom of Obama Administration disasters.

“OPM officials are facing multiple congressional hearings this week on the hack and their response to it. There’s growing frustration among lawmakers and government employees that the Obama administration’s response has minimized the severity of breach,” says the report, adding that Congress is especially unhappy with OPM Director Katherine Archulata’s sluggish response and agency foot-dragging about providing information to both legislators and the public.

We’re still deep in the Administration spin cycle, since as Ars Technica points out, they’re still talking about the data breach as a single event, when in fact at least two related operations hit different government systems: “The first was the Electronic Official Personnel Folder (eOPF) system, an entity hosted for OPM at the Department of the Interior’s shared service data center. The second was the central database behind EPIC, the suite of software used by OPM’s Federal Investigative Service in order to collect data for government employee and contractor background investigations.”

Either of those breaches would qualify separately as one of the worst failures in cybersecurity history. There’s no sign anyone will be held accountable for letting this happen, despite years of warnings issued to top officials. Instead, we’re getting the same headline-shaping promises of swift damage control we got after the ObamaCare launch disaster, the VA scandal, the IRS scandal…

To date, OPM has no idea how many individuals’ background investigations were exposed. All Archuleta said was that the agency was “committed to notifying those individuals whose information may have been compromised as soon as practicable.”

In the meantime, the Obama administration has ordered a “30-day Cybersecurity Sprint.” Agencies must perform vulnerability testing and patch existing holes in security. They must prune the number of privileged user accounts and expand adoption of multifactor authentication for all systems. The Department of Defense and intelligence community have led the way on that last requirement, but many civilian agencies (such as OPM) have been slow to put it in place.

Just how much this “sprint” will improve government security remains to be seen, especially since agencies such as OPM have been repeatedly warned in the past about minimum “security hygiene.” Thirty days is not likely enough time to correct a decade-plus of neglect of antiquated systems, poor leadership, and spotty attempts at modernization.

A 30-day “cybersecurity sprint” after the biggest Big Government faceplant since ObamaCare is like a little kid grabbing a dustpan and telling his parents to get excited about the “sweeping sprint” he’s planning, after shattering every lamp and glass table in the house. The Chinese understand, as this unserious President and his juvenile Administration do not, that the First Cyber War is a long game, won not with flashy “sprints” after irreparable damage has been done, but with carefully-planned and executed moves ending in checkmate.


Please let us know if you're having issues with commenting.