US Government Has No Idea What Data Was Stolen in Hack of Its Personnel Agency

Last week, the US government revealed that the Office of Personnel Management (OPM), the agency handles all federal employees data, had been hacked months ago leading to the loss of personal data belonging to 4 million people.

Given that OPM is basically the human resources arm of the US government, it was immediately clear that the hack involved "extremely sensitive" data that "could put key government employees that wish to remain anonymous at risk," as former NSA analyst Jay Kaplan put it to Motherboard in an email.

But days later, the full extent of the damage is still unclear, and it might be because the US government itself doesn't know exactly what data was stolen.

On Friday, a day after OPM disclosed the hack, citing anonymous government officials, The Washington Post reported that the hacked data did not include information on background investigations or applications for security clearances.

That data would be extremely sensitive because people applying for security clearances have to disclose a wide range of personal details such as their full biography, past travels, financial details, and even information on their social lives. This includes information on past "legal, private, sexual" troubles, according to John Schindler, a former professor of national security affairs at the US Naval War College.

This kind of information is a "goldmine" for foreign spies, Schindler wrote on Twitter.

On Monday, however, Reuters reported exactly the opposite, that the hack did include security clearance information and background checks—also basing its report on anonymous government officials.

OPM, meanwhile, is not clarifying whether the hackers, who are allegedly Chinese, got their hands on this type of data or not.

An OPM spokesperson did not respond to Motherboard's repeated requests to clarify this point.

On its website, OPM said that the stolen data "could include name, Social Security Number, date and place of birth, and current and former addresses," but also that since the investigation is ongoing, "additional [Personally Identifiable Information] may come to light."

For some, it's clear that OPM has actually no idea.

"I think the assumption you've got to get away from here is that they even know the full story," Adrian Sanabria, a security analyst at at 451 Research, told Motherboard in an email. "Unless you really have some amazing logging, detection and correlation going on before an incident, it can be really hard to determine what systems and data was impacted."

And therein lies the problem. In the past, OPM's computer and security practices were so bad that the agency didn't even know what was connected to its network, according to an internal audit.

"OPM does not maintain a comprehensive inventory of servers, databases, and network devices," the report by OPM's Inspector General concluded.

The agency also didn't scan the network for intrusions or malware, failures that Mark Weatherford, the former deputy undersecretary for cybersecurity at the Department of Homeland Security, called "kindergarten stuff."

Given these security shortcomings, according to Sanabria, "at this point, we just have to assume all this data is compromised and has been compromised for some time."