back to article Did you by chance hack OPM back in 2015? Good news, your password probably still works!

More than three years after suffering one of the largest cyber-attacks in US government history, the Office of Personnel Management has yet to adopt dozens of the security measures investigators ordered – including basic stuff like changing passwords. A report issued this week by Government Accountability Office (GAO) …

  1. Nunyabiznes

    SOP

    I work for a small local government and pretty much everything the GAO recommended is standard operating procedure for us. It isn't rocket surgery people.

    1. Anonymous Coward
      Anonymous Coward

      Re: SOP

      The smaller the network and fewer the users, the easier it is to implement procedures like this. Not excusing OPM's lack of action, but they are facing orders of magnitude more difficulty implementing and coordinating a project to do this across their whole network than you face in your network - the "server room" of which probably fits in a broom closet.

    2. MiguelC Silver badge

      Re: It isn't rocket surgery people.

      Nor brain science, for the matter...

      1. TimMaher Silver badge

        Re: It isn't rocket surgery people.

        Or even domestic science.

        Actually, I quite enjoy cooking.

        I’ll get my apron.

  2. Stevie

    Bah!

    Budget?

  3. Anonymous Coward
    Anonymous Coward

    Everybody is both lazy and obsessed with bullshit & complexity

    Basics? Can't get those right. We are an INDIVIDUALISTIC society, here!

  4. sanmigueelbeer
    Facepalm

    Really?

    C'mon, people! Let's be realistic. Who'd be stupid enough to hack OPM? Again.

    Oh, wait ...

  5. RobThBay

    Why bother?

    They probably figure that everything has already been stolen so why bother. Same thinking as why close the barn door after all the critters have left.

    :)

    1. Anonymous Coward
      Anonymous Coward

      Re: Why bother?

      Between OPM (nuclear clearance), Veterans Administration (medical/psychiatric), and Experian (financial), there's nothing left to leak! Oops, maybe my shopping at Amazon and Newegg.

      1. Anonymous Coward
        Anonymous Coward

        Re: Why bother?

        @Jack: OPM also gathers the basic SF86 information for DoD (military contractor) clearances on behalf of DSS (Defense Security Service).

        (I'm sure this is public info but I'm going AC anyway.)

        EDIT: I see you commented on that lawsuit-dismissal article from last year, and given your tone I guess you already knew what I said about DoD/DSS (but others might not). Sorry to bother you.

  6. Jay Lenovo

    Buckle up, or Not

    An agency like a car in disrepair:

    Bad tires, cracked windshield, smokey exhaust. But hey, they fixed those.

    In another year they'll fix the failing brakes and maybe that burning smell.

    OPM Data commutes with no fear.

  7. sitta_europea Silver badge

    Shame the GOA can't put its own house in order before it prattles on about everybody else's.

    Here's a mail to which I'm yet to see any response:

    Date: Wed, 10 Oct 2018 16:47:11 +0100 (BST)

    From: G.W. Haywood <gwh@jubileegroup.co.uk>

    To: chaplainc@gao.gov, youngc1@gao.gov

    Subject: Security issue with your DNS records.

    Good afternoon from England,

    A recent report about a GAO publication (GAO-19-128) prompted me to

    look into some aspects of the GAO's own IT infrastructure.

    My first investigation took no more than a few minutes and immediately

    highlighted a security-related issue.

    As you can imagine I am reluctant to send such information in a plain

    text email, if you would like to know more please get in touch with me

    with the telephone number of a senior administrator for me to call.

    Kind regards,

    G.W. Haywood, BSc (1st hons), CEng, MIET, MRIN.

  8. hellwig

    Not under this Administration.

    No idea why this wasn't handled under Obama, but you know damn well the Trump administration is never going to implement changes recommended under Obama.

    1. A.P. Veening Silver badge

      Re: Not under this Administration.

      "the Trump administration is never going to implement changes recommended under Obama."

      Completely correct as that might involve something like common sense.

  9. Anonymous Coward
    Anonymous Coward

    My Secret Clearance private info was stolen. It's not a joke

    In the OPM breach *everyone* who had a clearance, such as Secret, Top Secret, etc. had tons of personal information stolen. So who gets a Secret or Top Secret Clearance? Try all US spies from CIA, NSA, and all of the other 3 letter acronym agencies. The investigations that go on before granting a Secret or above clearance include interviewing neighbors, friends, classmates from way back when, and the list goes on. Of course the obvious info that we use for online banking such as mother's maiden name, your full Social Security number, the town where you were born, etc. are up for sale on the darknet.

    I had a Secret Clearance for work in a non-defense but sensitive info agency. I am still getting attacked by credential stuffing attacks, twice last week!. In fact credential stuffing is now one of the top threats in the U.S. Add to that the Equifax breach and multiple Facebook data theft and we are all screwed.

    Believe me, if you were one of the OPM victims, the battle to protect what's left of your personal identity is a never ending pain in the butt. We need privacy laws with legal recourse. I recommend that breaches due to having anything less than standard security measures should be treated like medical malpractice lawsuits. Let Facebook and Equifax get hit with $50 billion in damages going to individual victims and companies would immediately change their negligent behaviors.

    1. Anonymous Coward
      Anonymous Coward

      Re: My Secret Clearance private info was stolen. It's not a joke

      US gov seems to be quite good at leaking secrets

      according to

      https://www.nytimes.com/2018/11/16/us/politics/julian-assange-indictment-wikileaks.html

      which (eventually) links to https://pacer-documents.s3.amazonaws.com/179/399086/18919235200.pdf

      (152kb pdf)

      which says stuff like /secret indictment/ /sealed criminal complaint/ /state of Virginia/

      and stuff like ~ sealing is necessary because Mr Assange is a sophisticated defendant, with this case attracting high publicity, and he shouldn't know about his secret arrest warrant, so that he can't avoid arrest and extradition ~

      secret stuff is hard!

  10. Soruk

    They're probably not installing the updates because their computers say they're all up to date already.

    On Windows NT.

  11. WonkoTheSane
    Black Helicopters

    Tinfoil hat time

    First thing I'd do when a database that important gets hacked:-

    Check vs backup from before hack - Have more clearances been ADDED than there is paperwork for?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like