Last week, a friend of mine, a former master sergeant in the U.S. Army Special Forces (the Green Berets), received a letter from the Office of Personnel Management informing him that his personal information had been compromised in a data breach. Several of his colleagues received the same letter, which said that a "malicious cyber intrusion" had resulted in the theft of their background investigation files. These files contain the sort of sensitive personal information that must be disclosed to the government in order to obtain the highest level of U.S. security clearance.
When disclosing the attack earlier this year, government officials said the Chinese were responsible, although it's impossible to prove since the access logs had been deleted by the time the breach was discovered.
What sort of personal information was stolen? According to the OPM's letter: "name, Social Security number, address, date and place of birth, residency, educational and employment history, personal foreign travel history, information about immediate family members as well as business and personal acquaintances, and other information used to conduct and adjudicate your background investigation."
These former service members tell me that their files also include fingerprints, photos and information about vices and sensitive personal matters that could potentially be used for blackmail purposes. Some of the information dates back as far as 30 years.
The CIA was believed to be shielded from the data breach since it doesn't use the OPM for background investigations, but many special operations forces members end up working with the CIA on top-secret projects. It's unclear whether the personal information of current special operation forces members was stolen. But with so many former members working as contractors on classified projects, it's naive to suggest that the damage has been limited.
With fingerprints, photos and blackmail material, just imagine what a foreign government could do to compromise our most elite military operators. Personal vulnerabilities could be exploited to produce moles, with former military members blackmailed into spying or otherwise acting against American interests. U.S. personnel suspected to be operating under deep cover could have a stray fingerprint lifted and checked against this rogue database in order to uncover their identity.
The exposure of information about family and friends provides malicious entities with easy entry into the lives of special operations forces personnel, since family and friends aren't trained in operational security themselves, are likely to be unsuspecting of any malicious agenda, and likely have a ubiquitous Internet and social media presence. If they post details about family vacations on Facebook, Twitter or Instagram, a bad guy could ascertain the location of a top-secret operative.
"It's not like we risked our lives, bled, were maimed or anything," said one former special operations forces member who received a letter from the OPM. "This is what happens when you literally risk your life for this nation."
I told a former French special operations forces member about the breach, and he was stunned that those personnel files could be found anywhere other than in a locked vault with tightly controlled access. In France, for example, even if such classified data is stored digitally on CD-ROM, it must be accessed via computer inside a Faraday cage that produces an electronic signals dead zone. Wi-Fi must be deactivated and any modem unplugged. The data cannot be copied onto other digital media.
It's been reported that the cyber-attackers obtained valid system access credentials and that encryption may not have helped.
The bottom line is that few pieces of classified government information are more sensitive than special operations forces data, and there is no way this material should be located on any kind of computer system. This isn't pizza delivery history that needs to be easily accessed -- it's information at the very heart of national security that should be securely protected at all costs. Allowing this kind of sensitive personal information to be hacked is as egregious as storing the nuclear launch codes on Google Drive. (Um, they aren't stored there, right?)