Hacked US Security Clearances Are Giving Beijing Insanely Personal Information About American Citizens

Hackers who broke into the U.S. Office of Personnel Management (OPM) database this week didn’t just steal birthdays, email addresses and health information. They obtained security clearance information that’s invasive enough to ruin potentially millions of American lives.

At least 4 million federal employees (maybe more) lost their most sensitive personal information to hackers in the OPM breach, which was discovered only after the agency went to update its outdated Internet security settings. As if that breach wasn’t bad enough, the hackers obtained a database of federal employees who sought security clearances. This information, combined with the data gleaned in other government hacks, likely gave China information they can use against high-placed U.S. government sources to persuade them to act in Beijing’s best interests.

The hackers accessed SF-86 security clearance forms, which are used to conduct background checks on Americans seeking access to classified government information. Along with valuable information about applicants, those 127-page forms also have details on the applicants’ family members, friends, former friends, potential enemies, angry neighbors, jilted ex-lovers, foreign nationals and other information that could easily be leveraged in exchange for legislative favors.

“If a foreign government gets that it’s a great place to start finding human intelligence,” said Jim Penrose, a former technical director for counterterrorism at the National Security Agency and current vice president at the cybersecurity firm Darktrace. “If they do this, they can then influence our laws and policies. Even if it’s not something that’s decided upon by our people, a foreign government could be involved, and we’d never know it.”

Blackmail Potential

They might try to intimidate or blackmail powerful officials, but nervous government workers shouldn’t expect to be followed by a black car or be involved in any late-night dead drops. Instead, they’ll simply take out loans in a target’s name and slowly chip away at their sanity.

“It’s human nature to be distracted by things happening in our personal life,” Penrose said. “We’re going to do the minimum to get our jobs done and use the rest of our energy to resolve an argument with your insurance company or figure out a loan. The amount of trouble that could be caused by this breach is really hard to fathom.”

It’s happened already. The cybersecurity company Symantec issued a report on June 30 indicating Western energy companies are regularly revictimized with information gleaned in previous hacks. In one case hackers -- allegedly from Russia -- hacked a software support website and tricked an energy supply company into downloading malware that gave Kremlin hackers the ability to turn off physical equipment.

Slow Government

The OPM hack comes after a series of breaches at the U.S. State Department, the White House, on the Nasdaq, at JP Morgan Chase as well as at major healthcare providers and big American retailers. Virtually every major attack has been attributed to Chinese and Russian hackers acting on behalf of their governments, though it’s nearly impossible to verify that with certainty. Both governments have denied involving themselves in cyberespionage, accusing the U.S. of being the most active hacker on the planet.

There’s no surefire way to prevent these hacks from happening, cybersecurity experts say, but many U.S. government agencies are still catching up to the minimum threshold for security measures. There’s firewall protection, inside threat detection that monitors a network from the inside and better education for well-meaning employees who unwittingly fall prey to email phishing attacks. Agencies should also assign a full-time team of cyberespionage professionals to look for instances of cyberespionage rather than the IT staff.

The U.S. government is struggling to adapt because, well, governments are slow.

“There’s a lot of bureaucracy and steps you have to go through before you can adopt new technology,” said Amit Ashbel, a product manager at the code security company Checkmarx. “The U.S. is just more frequently attacked because it’s the U.S. It’s a global power and has disagreements with different regions.”