No, really, this qualifies as an epic fail by the OPM.

https://threatpost.com/class-action-...es-data/113569

https://www.schneier.com/blog/archiv..._of_perso.html

Hard to sue the Government now isn't it? They can simply refuse to pay. Why not sue China?

They can claim sovereign immunity. Whether or not the claim will stand would be a matter for the judge.

There are larger issues here.

Pretty sure China can also refuse to pay? (And the sovereign immunity thing gives them some legal basis to do so).

Surely the Chinese government was doing exactly what it pays itself to do?
As for the US government -- not very surprising to find they think of their own employees as something they have to scrape off their shoes since it has been apparent for a long time that they view the people who pay them, the "voting" public, as a lower form of life than pond scum.

I find it interesting that "foreign governments" are always fingered, directly or indirectly, in these so-called "data breaches." The instigators are always comfortably "far, far away." And, when the attack vectors are discussed, they always, I think, make one fatal assumption: they trust.

They trust that every entity on a company's or a government's greater network is really trustworthy. That they are, to an employee, the trusted, blue-suited, red-tied paragons of upper-class confidence that they project.

That not one single system anywhere in the trusted network has not been surreptitiously modified(!) ... ... even though the universal availability of open source to all of these key components would make such Trojan Horses both effortless to make and virtually impossible to locate.

That it's perfectly fine to put a data center anywhere, staffed by anyone, in the name of a more competitive "bid."

That, despite the utter lack of professional licensure in the data-processing profession (which, unlike, say, air-conditioning work or homebuilding, is not considered to be a profession at all), and likewise a general absence even of background checks, no one could possibly be ... a mole. Or, a saboteur. Or, what may in the 21st Century one day be seen as "a new kind of enemy soldier."

Most of all, I think that we trust the technology that we've created. We trust it implicitly. To the point: we trust the technology to absolve us from the influences, and the dangers, of human nature and of (to us, "misplaced" ...) simple human ingenuity. There is no place for the rogue, for the thief, nor for the psychopath in any of our oh-so-binary equations. Like the soldiers of Troy, we gaze with (we think ...) justifiable pride at our impregnable walls. But: we do not think like Greeks do. In fact, we much prefer to imagine that Greeks don't exist.

Somebody would not be able to purloin State secrets right out from under everybody's nose ... without inside help. (Very highly placed "inside help.") Ditto every other such so-called "breach." They wouldn't have even known where the data was. But it so happens that they not only did know, but that they knew how to spirit it away. To get the data from wherever it was hid, to the door, and out the door.

This isn't just a breach of firewalls, crypto algorithms, or security mechanisms: a human conspiracy did these things. Did all these things. And succeeded because we trusted the technology, when we couldn't trust an unknown number of the people who walked to and from the parking lot. (Or, and we may never know, who were thousands of miles away at all times, but, in our employ.) These were not breaches of technology: they were betrayals of trust, perpetrated (of course) by people who felt that they had plenty of "means, motive, and opportunity" both to do the crime and to cover it up.

It always, always, always comes down to: "People. Not bits."

"What fools these Mortals be!" -- Puck

I don't think anyone at OPM has not had a background check especially since they're the ones that deal with security clearances. In my little area of the government you cannot come to work without a background check at a minimum and most jobs these days require a clearance. I'm one of those effected by the OPM breach and OPM has more on me than any system out there simply because of my clearance I finally have a benefit to the credit freeze I initiated all those years ago.

Yes, but the US Government, like so(!) many other "corporations," implicitly trusted promises made by corporate representatives, conveniently forgetting that the contracts issued by those corporations would actually be fulfilled(!) by "imported people" from many thousands of miles away: people who not only "had no 'skin in the game,'" but who might very-well have motivations entirely different from those of the 'suits.'"

We stare at these "data breaches," professing to be "confused" by thoughts of "how, possibly, anyone could have done such a thing," when the answer is blissfully-obvious to anyone who's ever read a penny detective novel.

Okay, let's imagine the next Mission: Impossible movie installment. Tom Cruise's character contrives to send out an e-mail which contains a script that dumps the content of the reader's address-book to Tom's secret account. Armed only with this information, Tom's character proceeds to steal the Crown Jewels of America, unerringly going to precisely the right location and bypassing all of the alarm systems. And your personal bullshit-detector, Dear Movie-goer, is somehow not expected to go off . . .

Even though Tom Cruise is a great actor for this kind of role . . . "it ain't gonna happen!"

Behind every technological safeguard that we may develop ... there is a human who finds himself "in a position of trust" that he may either respect ... or ... exploit.

And, any "technological" safeguard which neglects to consider this human factor is: "null and void."

I should put a happy face icon on some of my posts maybe.