[dguido]

Before you start shitting on OPM and the like, is this any different than what would happen if a dedicated attacker came after the most valuable data in your company?

Clearly, OPM should know, but omg is the state of security poor.

[FooNull]

>is this any different than what would happen if a dedicated attacker came after the most valuable data in your company?

My company didn't compile detailed background information about my "sexual misconduct", or spend money trying to detail the ways in which I might be blackmailed.

So yeah, it's a little different.

[mokus]

And not only your information - that 21.5 million figure given for the clearance database is 1 in 15 people in the entire United States population.

What I'd like to know is how this information failed to warrant even the level of protection mandated for medical records - according to at least one major news source, the data wasn't even encrypted. The standard criteria in the US for "top secret" classification is described as material having the potential to cause "exceptionally grave damage" to the national security of the nation. A database of information pertaining to a process designed to collect all information potentially usable for coercion (blackmail, social ties, etc) of all the individuals in the most sensitive positions of the government, should have been classified and protected at the Top Secret level.

Frankly, the outrage I've seen so far is not nearly enough for the scale of the irresponsibility here. I firmly believe the director and CIO of the OPM should not only be removed from office, they should be subject to criminal charges for mishandling information that clearly _should_ have been classified.

[dmix]

> is this any different than what would happen if a dedicated attacker came after the most valuable data in your company?

Well, most SF/HN startups data wouldn't get people killed if leaked to the wrong hands, whereas OPM had sensitive information on spies/foreign agents/etc where that is a serious possibility.

The question I'm curious about is what if a Silicon Valley style startup was going to start a company holding ID information for gov workers? Including potentially identities of people whose livelihood depends on secrecy. I'd imagine they would be investing quite heavily in security. But it is plausible even that wouldn't stop nation-state attackers...