Government data hacks violate personal trust, argues ASU security researcher

Having your personal information compromised, whether it be account passwords, social security numbers, or banking information, is something no one wants to happen. But when this information, along with the intimate details of your life, are misappropriated, the situation can become much more distressing, as chronicled by Jamie Winterton, director of Strategic Research Initiatives at ASU's Global Security Initiative.

When Winterton began her intensive interview process with the U.S. government in order to gain her security clearance, she trusted that her personal information would be safeguarded, but this was not the case.

As Winterton describes in a Future Tense article in Slate magazine, in July 2014 there was a data breach at the United States Office of Personnel Management (OPM). Employees were assured in an internal email: "At this time, neither OPM nor [the United States Computer Emergency Readiness Team] have identified any loss of personally identifiable information for any users of OPM’s internal or external systems."

As Winterton writes, they were essentially told, "be vigilant – but we've got your back.” However, by summer 2015, it became clear that the breach was more extensive than employees were initially led to believe, and it was at this point that people like Winterton – who had a security clearance but was not an OPM employee – started to accept the probability that their personal data had been “hijacked.” Still, most of the people affected didn’t know how deep the breach was. 

When people began to question how something like this could happen, especially to a government agency, it was revealed that OPM security protocols were extremely weak, and that the agency didn't employ any security IT staff until 2013. OPM didn’t even know which machines were on its supposedly secure network. The agency’s inspector general described how the "network wasn't routinely scanned for vulnerabilities."

Winterton asserts that the trust between people holding security clearances and the government is a two-way street: just as cleared personnel are expected to keep government data secure, the government has a responsibility to protect the personal information it collects. 

“As the events unfolded, I felt more and more agitated that so little was done to protect my information,” writes Winterton. “The fact that an adversary with the stolen information could create a highly detailed picture of our national security posture was dizzying, but I didn’t feel personally threatened. Until I learned that notes from background check interviews were among the stolen data. All the stories that fill in the gaps between the numbers, the narrative that turns a spreadsheet into the representation of a person, at their best and their worst – not just gone, but never even protected in the first place. Suddenly, the OPM hack felt a lot more personal.”

To read the full article, visit Future Tense.

Future Tense is a collaboration among ASU, the New America Foundation and Slate magazine that explores how emerging technologies affect policy and society.

Written by Melissa Pagnozzi, ASU Global Security Initiative