Hacked and Stomped
July 16, 2015
I had my personnel records stolen in the Great Federal Personnel Chinese Hack-Heist of 2015. Lets recount all the organizations that have been hacked and lost my personal info, shall we?
- Federal government
- Playstation Network
Let’s list all of my accounts that have been hacked because I accidentally lost my personal data:
That’s fine. Hacking happens, nothing is perfectly safe, and a waiter can steal your credit card as easily as any online hacker. That’s not what steams my baked beans and makes my green tea go cold. It’s when an organization that has taken my personal data loses said data, inevitably the same CYA exercise happens:
- It mumbles a very late apology that such a hack happened, emphasis on late and mumbled.
- It doesn’t explain why it’s announcing that the hack happened more than a day ago. (Last year, OPM? Come on.)
- It doesn’t apologize for letting the known vulnerability remain open, and it is nearly always left open deliberately because fixing it costs money or time.
- It sure as shit doesn’t fire anyone who let the hack happen by pooh-poohing the needed security fixes. (BTW, the OPM director resigned because Congress didn’t like her performance in front of them, not because of the hack itself. Apple, Target, Playstation apparently never fired anyone.)
- It implicitly blames the hacked by adopting a series of ‘security measures’ that put responsibility on the hacked to be more secure, and are neither effective or address the exploited vulnerability itself. (“We lost the users’ passwords? Okay, make users change their password, and require them to add a special character and an uppercase letter that we will fail to encrypt and keep safe!”)
- They state that they have/will close the vulnerability that led to the hack, but the statement is such corporate PR bullshit that I can’t believe it.
Last Pass is the only account I have any faith actually did protect my hacked data because they built their business on not actually knowing my master password. They still recommended, out of an abundance of caution, that I change it. And being a password storage company, they should have expected hacks.
Playstation, Apple, and Target all let themselves get hacked because keeping vulnerabilities open was cheaper. End of story, case closed. OPM let it happen for any number of reasons, but it was most likely an inside job done for either money or as part of Chinese espionage (by a contractor, no less).
So yeah, the Chinese now have everything that was in my non-sensitive security clearance and all of my personnel records. They could probably steal my identity about 20,000 different ways. But they won’t. They’ll just data mine the OPM databases for potential spies and/or Alibaba customers. Or they just wanted to make all us feds really afraid.
You can tell those worm-ridden, pieces of filth that they won’t get any such pleasure from Marc Hamillton Zworeknee, Social Security Number 9964-12A-402168, born in Browchester, New Mexico on June 2, 1981.