Government Workers' High-Value Data At Risk After OPM Breach
DAVID GREENE, HOST:
We're learning more about the largest breach of U.S. government data ever. It was revealed recently. Hackers were after information at the Office of Personnel Management, which is basically the federal government's HR department. The cyberattack is believed to have been launched from China. Hackers obtained the records of 14 million people. And one of the questions facing investigators is why China wanted this stuff. Michael Riley covers cybersecurity for Bloomberg Business, and he joins us in the studio. Michael, good morning.
MICHAEL RILEY: Good morning.
GREENE: So what kind of information did the hackers get here?
RILEY: It looks like they went after a bunch of different kinds of stuff. Some of it's just very basic personal information - Social Security numbers, work records, military - like, what was your military record? But the government revealed on Friday that they actually got into a very sensitive database, which is the background checks done for people who have security clearances for top-secret information. So if you can imagine it, these are forms that are incredibly detailed, and they're designed to show vulnerabilities that employees might have that would handle very secret information.
GREENE: OK, so this is stuff like you're applying for a job, and you have to answer all these sensitive questions about yourself, your history, your friends, your family.
RILEY: Foreign travel, foreign contacts - it's any history of drug use. It's like if we're going to give you very sensitive, top-secret information, we want to know everything about you and everything a foreign intelligence agency might use to recruit you.
GREENE: So is that what they're trying to do? They're trying to get information that's sensitive that they could use as - as what? - like, some sort of blackmail to try and recruit people?
RILEY: Yeah, this seems to be, like, just old school spy craft at a new scale of immensity. In other words, they can use this to figure out vulnerabilities of people who have information they want. And they've stolen all sorts of other information, including health records and other things that they can cross-reference.
So they know that you have a particular job in the U.S. government that might deal with a particular area of policy that affects China, for example. They now know that you handle top-secret information associated with that, and they also have health records on you. They know what kinds of drugs you take. They know what kind of conditions you have. They know what kind of - whether you failed a lie detector test. They know all sorts of things that they can use to recruit you as a spy.
GREENE: And is also the kind of thing where they could take this information and sort of act like someone that you might know...
GREENE: ...To try and get you to open emails from them?
GREENE: And if they're able to do that, would that then give whoever these hackers are even more access to databases if you're actually opening emails from them thinking it's just a friend writing to you?
RILEY: Absolutely. Now, I mean, it's a notion called spearfishing, which they can send an email that looks very much like, for example, your insurance company or your hospital billing agent. And it can have a lot of information that would say to you, this is actually the person that you need to talk to and give your information to. It's a very powerful weapon to have because once you open that e-mail or click on this link, then it downloads a virus which infects your computer. And again, these are people who have very sensitive information about the government and about government activities that they want.
GREENE: How are government officials so sure that this was China, if they are sure?
RILEY: You know, the U.S. government has been - has not gone on the record openly. For example, the White House spokesperson has not said that this is China. The U.S. officials have said, behind the scenes, that it's China, and they've also told other people - other agencies that have been hacked by these same guys - that this is the Chinese government. The way that they figured that out is that we have our own versions of electronic spies that watch the computers from which this come. They can actually hack back and hack the hackers, so they've done a lot of work to figure out that this is China, and so farm the word is this is China.
GREENE: Michael, you cover cybersecurity threats - all sorts of cybersecurity threats. I mean, how scary is this one?
RILEY: It's very different than other hacks we've seen, including Target, for example, where hackers grabbed millions of credit cards. And those credit card numbers can just simply be replaced. It's a problem that you can actually fix. This is something that - where they got information on people that you cannot fix, I mean, if they know your vulnerabilities. And it goes back historically to the 1980s. Some of those people who, for example, might have applied for secret clearances and didn't get them because they failed a lie detector test or because they had a history of drug use - those people might actually be in a different part of government, or they might be in the private sector in very important jobs. And you now have this vast database of information on people that - all over the country - that do really important things. And that's a hard thing to fix.
GREENE: Michael Riley covers cybersecurity for Bloomberg Business. Michael, thanks for coming in.
RILEY: You bet. Transcript provided by NPR, Copyright NPR.