WWTBAM Bored

Some of the contractors that have helped OPM with managing internal data have had security issues of their own—including potentially giving foreign governments direct access to data long before the recent reported breaches. A consultant who did some work with a company contracted by OPM to manage personnel records for a number of agencies told Ars that he found the Unix systems administrator for the project "was in Argentina and his co-worker was physically located in the [People's Republic of China]. Both had direct access to every row of data in every database: they were root. Another team that worked with these databases had at its head two team members with PRC passports. I know that because I challenged them personally and revoked their privileges. From my perspective, OPM compromised this information more than three years ago and my take on the current breach is 'so what's new?'"

http://arstechnica.com/security/2015/06 ... -official/

They were in China, and had root access. In China. With root access.

http://pjmedia.com/instapundit/208756/

themanintheseersuckersuit wrote:

Some of the contractors that have helped OPM with managing internal data have had security issues of their own—including potentially giving foreign governments direct access to data long before the recent reported breaches. A consultant who did some work with a company contracted by OPM to manage personnel records for a number of agencies told Ars that he found the Unix systems administrator for the project "was in Argentina and his co-worker was physically located in the [People's Republic of China]. Both had direct access to every row of data in every database: they were root. Another team that worked with these databases had at its head two team members with PRC passports. I know that because I challenged them personally and revoked their privileges. From my perspective, OPM compromised this information more than three years ago and my take on the current breach is 'so what's new?'"

http://arstechnica.com/security/2015/06 ... -official/

They were in China, and had root access. In China. With root access.

http://pjmedia.com/instapundit/208756/

Let's not forget the immediately preceding paragraph (emphasis added):

But some of the security issues at OPM fall on Congress' shoulders—the breaches of contractors in particular. Until recently, federal agents carried out background investigations for OPM. Then Congress cut the budget for investigations, and they were outsourced to USIS, which, as one person familiar with OPM's investigation process told Ars, was essentially a company made up of "some OPM people who quit the agency and started up USIS on a shoestring." When USIS was breached and most of its data (if not all of it) was stolen, the company lost its government contracts and was replaced by KeyPoint—"a bunch of people on an even thinner shoestring. Now if you get investigated, it's by a person with a personal Gmail account because the company that does the investigation literally has no IT infrastructure. And this Gmail account is not one of those where a company contracts with Google for business services. It is a personal Gmail account."

Let me translate this. The government had been doing these investigations. Congress insisted on outsourcing them. This is the result. --Bob

Bob78164 wrote:Let me translate this. The government had been doing these investigations. Congress insisted on outsourcing them. This is the result. --Bob

Reading the article, it sounds like OPM's internal databases were almost as easy to hack as the contractors'. OPM realized it, but some of the systems were so old that the only way to protect them was to replace them, which takes years (remember, this is the government).

I have another worry: are these shoestring contractors qualified to do background checks at all?