Skip to content

Followup: Security Vulnerabilities Allowed Chinese Hackers To Steal SF-86’s on All Americans Who Applied For Security Clearances


The New York Times (NYT) published a followup on the story we noted a few days ago about Chinese hackers and their successful penetration of American databases.  These databases contained all the “SF-86” (on which applicants reveal personal, health, and sensitive information about themselves) forms, apparently from every American who has ever applied for a security clearance, including retired former civilian employees and current workers.  The number of forms was previously reported as between nine and fourteen million, but the exact number is simply unknown.   The NYT reported on Congressional hearings in which it was revealed that multiple US agencies have serious holes in their cyber-security practices, including some computers that didn’t even have firewalls and some passwords that were absurdly easy to penetrate, such as “password” and others.

The hackers obtained “administrator” privileges that allowed them unrestricted access to all systems on multiple computer networks; even the Department of Homeland Security had serious vulnerabilities.  Other agencies affected: the Department of the Interior, which had large amounts of database storage available in lightly protected archives, ” the Internal Revenue Service, the Nuclear Regulatory Commission, the Energy Department, [and] the Securities and Exchange Commission.”  The Securities and Exchange Commission was one which had no firewall or other intrusion protection systems for several months.

Inspector General reports as far back as 2010 have, or should have had, alerted authorities to the security vulnerabilities, but action has been slow at every agency.  Some who spoke at the hearings blamed “legacy systems”, that is, systems that were installed at the very beginning of the computer era and then repeatedly patched instead of being replaced because replacement was thought to be too difficult.

” It was not until early last year, as computer attacks began on United States Investigations Services, a private contractor that conducts security clearance interviews for the personnel office, that serious efforts to develop a strategic plan to seal up the agency’s many vulnerabilities started.”

The same group which made these intrusions had previously entered the databases of health insurance companies like Anthem, as well as the travel industry (among many other industries from which patent and other sensitive information was taken).  An unusual aspect of those attacks was that none of the data subsequently showed up on the data black market, a suggestion that the hackers were the end users of the data obtained, or government agencies.

Repeated reports by US government investigating bodies have revealed vulnerable networks in every agency looked at.  These vulnerabilities have persisted despite claims that the US has spent over $65 billion since 2006 on cybersecurity.  Even the Department of Homeland Security has revealed multiple deficiencies in intrusion protection.   New tools installed in the last year have identified intrusions that have been taking place for some time; without these tools, investigators might never have known that the intrusions were even taking place.

Clearly, the Chinese government has successfully developed a database of US citizens, those employed by the government, those with security clearances, diplomats, and politicians (although there were claims that the politician’s data has not been breached.)  What the Chinese intend to do with this information is not definitely known, although one could speculate as to the advantages this data could confer: the ability to blackmail anyone, or to recruit wavering individuals for espionage work.

This security breach is the worst, and the most embarrassing, of all the breaches revealed to date.  Its full repercussions have not yet been felt.

The NYT article link:

No comments yet

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: