This Ars Technica article about today’s House hearing on the Chinese hacking of almost the entire US government personnel database opens with a recounting of the deserved reaming the head of OPM and its CIO received from Chairman Chaffetz (R) and his committee. But, that was not the nut of the article. Oh, no. The crucial piece of information was buried in the next to last paragraph. See if you can spot it.
Some of the contractors that have helped OPM with managing internal data have had security issues of their own—including potentially giving foreign governments direct access to data long before the recent reported breaches. A consultant who did some work with a company contracted by OPM to manage personnel records for a number of agencies told Ars that he found the Unix systems administrator for the project “was in Argentina and his co-worker was physically located in the [People’s Republic of China]. Both had direct access to every row of data in every database: they were root. Another team that worked with these databases had at its head two team members with PRC passports. I know that because I challenged them personally and revoked their privileges. From my perspective, OPM compromised this information more than three years ago and my take on the current breach is ‘so what’s new?'”
Repeat after me: the Chinese (1) had frakking root access (2) to those databases!! That made them top-level administrators with access to everything. All the supposedly secure, classified data on every background check of every US employee investigated by OPM. And who knows what else they could do while they had access?
I’m almost speechless. To Hell with firing people: this is so weapons-grade stupid that only a firing squad will do.
Pour encourager les autres.
(1) Please. Don’t even try to tell me a root-level administrator working in China was not -at the least- turned by Chinese intelligence, if not an active agent.