While the US government has never been very good at protecting our personal information against cyber attacks, the Obama Administration has set records for incompetence in the area of data security. The current score: F.
Here are just some of the breaches that have occurred under the current administration. I am sure I have missed some.
- Individual rogue employees and contractors, including Edward Snowden, have made public information on more than 2.4 million government personnel available to the media.
- Tricare, the US military health program, had 4.9 million records stolen from unencrypted backup tapes (Sept. 2011).
- Stratfor, a global intelligence firm serving the US Government, had 860,000 records stolen by the hacktivist group AntiSec (Oct. 2011).
- The US Navy Criminal Investigative Service had a breach involving 220,000 military personnel from the database that managers transfers of service members for all branches of the US military (June 2012).
- The National Oceanic and Atmospheric Administration (NOAA) had a data breach in 2013 that they have not investigated because the data was stolen through a contractor’s personal computer. As of a July 2014 report, NOAA does not know what data was stolen and whether it involves any personal information.
- The Department of Energy had 104,000 records from their Employee Data Repository database (July 2013).
- USIS, a company that conducts background checks for the Department of Homeland Security, reported a cyber-attack that impacted 25,000 people (Aug 2014).
- The U.S. Postal Service had a breach involving the loss of names, Social Security numbers, and addresses that impacted more than 800,000 personnel (Nov. 2014).
- The State Department has shut down its unclassified email system (Mar. 2015) because of a cyber-attack linked to a breach at the White House (Oct. 2014). This on top of the illegal actions of Hilary Clinton and her staff while she was Secretary of State and after she resigned.
- The Internal Revenue Service had a data breach that involved the detailed tax-return information on 104,000 taxpayers (May 2015).
- The Office of Personnel Management, which keeps track of every US government employee and contractors, has had two breaches since July 2014 involving at least 21.5 million individuals. Also potentially impacted are job applicants for federal jobs. Because this database was used for background checks for individuals, spouses and co-habitants, immediate family, close contacts and references could also be impacted. If you may be impacted by this OPM data breach, there is more information here.
Many of these attacks appear to be “practice” attacks. Cybercriminals started by seeing what they could attack and what data they could access. It was only after their success at that stage did they advance to turning a profit from these activities. It did not take them very long to go from “well, that worked” to full-scale general attacks and, more recently, to more focused attacks.
But the larger concern is that stealing the data may not be the real objective. The access to our government’s sensitive data that our enemies have demonstrated with these attacks also gives our attackers the ability to change or remove the data. Image the impact of an attacker deleting around 100 million individual and company records from the IRS databases. Such an attack would be quickly identified, but the fix would not be quick. Even worse would be the impact of making random changes to the data, for example changing filing dates or the amount of tax paid. Those changes would be exceedingly difficult to identify and correct. Image the damage such unauthorized changes could make to FBI, Department of Defense, or other security-dependent databases.
These attacks are not isolated and unusual events. Many of them appear to be organized attacks by other governments, especially China. As such they are acts of war. Our current administration has demonstrated a complete lack of concern and ignorance of the implications of these attacks. President Obama consistently appoints people to high positions who are either totally ignorant of data security or do not care about the welfare of the citizens of the United States, or both. OPM was not monitoring the security of their networks and data and were not encrypting data as required by federal regulations. These people, like Katherine Archuleta, the formal director of the Office of Personnel Management, should not be allowed to simply resign and seek another government job. They should be immediately fired and lose all government pensions, medical coverage, termination bonuses or any other government benefit. In some cases, and Ms. Archuleta is one such case, these so-called leaders should be tried for violating federal data security laws and fined or jailed as specified by those laws if convicted. It is past time for Congress to act to make the punishment fit the crimes these “leaders” commit.
The last word:
What do you do if you believe your personal data has been stolen or, worse modified? You are pretty much on your own. Unlike companies, government organizations do not have to provide any support or even notify you that your data has been compromised. OPM has stated they have notified impacted individuals, and you can request a suite of services including free credit reports. As always, you should be checking all of your financial accounts frequently, more often than once a month since in some cases you only have 30 days to report a problem. Consider using one of the “identity theft prevention” services. I use LifeLock Ultimate Plus, which monitors financial accounts. I get notification of a financial transaction that meets criterion I specify within 48 hours.
At the first hint of a problem, notify the government organization involved. If you do that online or over the phone, make sure you get a “claim number” so you can prove that you did notify them. If you do not get quick resolution, consult your financial advisor or lawyer and notify your Congressional representatives.
Keep your sense of humor.