Folks are wondering if the gov’t cannot secure our data who can? Frankly the gov’t in terms of security has always been horrid. I have done contract work for the gov’t more than once and the level of network security outside of the military is atrocious.
But none can hold a candle to the breach the U.S. government announced last week. Not even close. On a scale of one to 10, with one being the loss of credit card numbers and names, this data loss event would conservatively be a 15.Most people aren’t aware of exactly what type of information the federal government collects on its employees, especially those with security clearances. We all have some idea that government employees have relatively strict reporting requirements for financial information, and we know that federal workers with higher clearances undergo thorough background checks and must submit to interviews of both themselves and their family and friends. This is done to flag potential problems and to prevent outside agents from having undue influence over people who may have access to sensitive information and materials.Put simply, if you have a security clearance, the government would like to know if you have a drug problem or if you are in serious debt, because a foreign interest may try to use that situation as leverage to coerce you into revealing sensitive information. In the interest of national security, these safeguards make sense.But the true nature and scope of the information required by the government and subsequently collected by the government on an employee is massive. Take a look at Standard Form 86. This is a 127-page form that usually takes a week or more to complete and requires the entry of the applicant’s Social Security number on each page. The data included on this form is not just enough for identity theft, but enough to allow a person to literally become another person. Each Standard Form 86 fully documents the life of the subject. The only thing missing is the name of your first crush, though that might be in there somewhere too.Some 18 million people had this level of personal data — and more, including data collected by observers — lost to foreign agents last week. If the government collected this data to know if an employee was vulnerable to undue outside influence, then it just succeeded in closing that loop itself, having now released it into the wild. All of those vulnerabilities are now known and available for exploit to whomever stole the data, or to whomever they wish to sell that data. This is very, very bad.I should also mention that many of those whose personal information was swept up in this data loss event were never even government employees in the first place. They may have filled out the forms and submitted applications, but they were never hired or they declined the job. This includes prospective TSA agents right on up through CIA employees — the higher the position, the higher the clearance, the more sensitive the data that was collected and lost. Information on these peoples’ infidelities, sexual fetishes, mental illnesses, criminal activities, debts, and other highly personal information is now in the hands of cyber-attackers. This is damage that cannot be undone or mitigated. We can change credit card numbers and refund fraudulent charges, but we can’t change any of the personal data and intimate details of these people’s lives. That’s a permanent loss.
Source: The most dangerous data breach ever known | InfoWorld