Future Tense

How OPM Betrayed Me

I trusted it with my most sensitive information. But it didn’t bother securing the data.

OPM hack.
Why didn’t OPM try harder to secure its data?

Photo illustration by Juliana Jiménez. Photo by Thinkstock

“Why are you and your spouse divorcing?”

The question didn’t surprise me. I’d been through several background investigations for my security clearance, so I expected it. My interviewer held his pen over the paper, which already contained heaps of detailed information about me: the names and phone numbers of close friends, the length of time I’d known them. A list of colleagues and connections, the things I liked to do outside of work. What I saw as my strengths and weaknesses and what my friends saw in me as well.

“Irreconcilable differences,” I muttered. Even though I’d prepared myself for this moment, I felt some resentment. I was anxious to move on from this topic. But my interviewer’s pen did not move.

“They really don’t like us to leave it at that,” he said, gently but without sympathy. “We need to know more.”

How could I explain something so personal and complicated to a complete stranger? As I stammered through a wordier version of “irreconcilable differences,” my interviewer continued to take notes. While my explanation was still vapid, I’m sure my emotional response spoke volumes.

After we finished, the notes from my interview would be compared with the interviews given by my friends, first the ones I’d recommended, then a second tier. (I learned later that my friends had also been asked to explain my divorce.) That information would be combined with an in-depth worksheet (the SF-86) including social security numbers, addresses, and personal history, creating a representation of my life. The U.S. government would use this representation of me to decide whether I could be trusted with its sensitive information. So the question about my divorce was utilitarian, not salacious. Had I said, “My spouse’s extensive travel for the KGB was really putting a strain on our relationship” (a completely fabricated example), I’m pretty sure my clearance would’ve been canceled and I’d be under a completely different investigation. So when faced with the question, I gave some vague details about the divorce and finished the interview. Soon I was looking forward to another term of my security clearance, one I would hold until I changed jobs. (I currently do not hold a clearance.) While the questions felt intrusive at times, I understood the reasons for them, and I trusted that my information would be guarded closely.

But that trust was broken. In July 2014, a breach of the U.S. government’s Office of Personnel Management was reported. No big deal, OPM seemed to say. An internal email stated, “At this time, neither OPM nor [the United States Computer Emergency Readiness Team] have identified any loss of personally identifiable information for any users of OPMs internal or external systems.” Basically, OPM employees were told, “Be vigilant—but we’ve got your back.” Five months later, it was discovered that KeyPoint Government Solutions, a company that did background checks for security clearances, had been breached. There was “no conclusive evidence to confirm sensitive information was removed from the system,” OPM said in a letter to nearly 49,000 federal workers. Again, “we all must be ever-vigilant in our efforts to understand, anticipate, and guard against the threat of cyber-attacks.”

On June 4, the avalanche began. It started with the reveal that OPM had been breached in April. It’s believed that information stolen from KeyPoint allowed intruders to open OPM’s systems. Then came word that the breach had actually happened months earlier, giving the attackers plenty of time to exfiltrate data. It was at this point that many of us with clearances started to accept the probability that our personal data had been hijacked. “The OPM hack could affect 4 million people,” the headlines read. A week later, a second OPM breach was reported. The number of people included rose to between 5 and 15 million, with confirmation that SF-86 background check forms were among the data compromised. On June 23, FBI Director James Comey estimated that the personal information of 18 million people had been stolen. As of this writing, more than 21.5 million people have been affected. That includes a few million people who didn’t apply for clearances but who were listed in clearance paperwork. Spouses, family, friends, children. And not just social security numbers, birthdates, fingerprints, and SF-86 forms, but interview notes, too.

As the events unfolded, I felt more and more agitated that so little was done to protect my information. The fact that an adversary with the stolen information could create a highly detailed picture of our national security posture was dizzying, but I didn’t feel personally threatened. Until I learned that notes from background check interviews were among the stolen data. All the stories that fill in the gaps between the numbers, the narrative that turns a spreadsheet into the representation of a person, at their best and their worst—not just gone, but never even protected in the first place. Suddenly, the OPM hack felt a lot more personal.

Cleared personnel are trusted with the nation’s secrets. To earn that trust, we voluntarily open up our lives to government scrutiny, to ensure that we can’t be blackmailed or otherwise manipulated into divulging classified information. But trust is a two-way street, and as we’ve participated in security clearance reviews, we were promised that our personal information would remain protected. I always thought that the care I took in protecting the government’s information would be returned in kind.

How did I learn of the extent of data lost? Twitter. I’ve never been contacted by OPM (although I’ll admit that sending out more than 20 million letters is no small task).

The OPM was the trusted repository for all our personal information—ours, and that of our family members. But OPM didn’t take that job seriously. OPM didn’t employ any security IT staff until 2013. It didn’t know which machines were on its network. OPM’s inspector general reported that “OPM does not maintain a comprehensive inventory of servers, databases, and network devices” and that the network wasn’t routinely scanned for vulnerabilities. How could OPM possibly protect a network that it inherently didn’t understand? Access controls to OPM systems were shockingly weak, relying only on usernames and passwords—insufficient protection in this day and age. I would love to get on my encryption soapbox here, but encryption would have been useless, given the depths to which attackers penetrated OPM’s systems. That kind of negligence was, until recently, incomprehensible. OPM didn’t have two-factor authentication (like when your bank texts a verification number to your cellphone before you can log in) in place for employees who accessed personal information databases from outside the office. Twitter gives me the option of two-factor authentication—was it really so crazy to think that the government would’ve done something similar? I protect my Twitter account better than OPM protected my child’s social security number.

The Chinese government—which many believe is behind the attacks, although no formal assignment of blame has been made—may have no interest in my divorce or whether I’ve been known to go bowling with colleagues after work. It’s probably more interested in the security posture of our nation, the picture that emerges when 21.5 million identities are aggregated and analyzed. But to know that sensitive personal issues were treated so casually by my government is painful in its own right. The government trusted me with its sensitive information. I should have been able to trust it with mine.

This article is part of Future Tense, a collaboration among Arizona State University, New America, and Slate. Future Tense explores the ways emerging technologies affect society, policy, and culture. To read more, visit the Future Tense blog and the Future Tense home page. You can also follow us on Twitter.