Why I’m Worried About the OPM Breach

Standard Form 86 is the most invasive piece of paperwork you’ll ever fill out.

The 127-page application for a security clearance goes well beyond the standard questions – name, date of birth and Social Security number, all of which are already enough to enable full-blown identity theft – and demands that you cough up the identities of your family, your friends, financial details, mental health history and criminal background.

When I first filled out the form in 2010, prior to my departure to Baghdad to work with the U.S. Agency for International Development, it took me five-and-a-half hours to complete. The confessional rush gave me something like a hangover. There it was: my life in former addresses, old employers and the phone numbers of friends and ex-girlfriends who could be queried by investigators on my patriotism and moral rectitude.

I’m cagey by nature (example: My wife and I keep a “burn bag” for credit card statements and other personally identifying documents), so the thought of the most comprehensively personal document I’ll ever complete falling into the hands of hackers is enough to make me sweat.

It’s been a stressful few weeks. According to the New York Times, Chinese hackers snatched 1 million SF-86s. The U.S. government has yet to publicly accuse China, which previously limited its data theft to industrial secrets; Beijing, for its part, denies it had any role in the attacks.

Bajun Mavalwalla, a former Army intelligence officer whose records may have been among those snatched, was dismayed.

“If they’re not keeping this information secure, what else aren’t they protecting?” said Mavalwalla, who retired as a captain with the Army National Guard. A Russian linguist and signals intelligence specialist, Mavalwalla held a top secret clearance and last submitted an SF-86 in 2012.

He first learned of the breach through the news; to date, he has not received any notifications from the government. Perhaps his records were not among those stolen; he doesn’t know.

Neither this nor the breach came as a surprise to Mavalwalla. While in the Guard, he said, he saw scores SF-86 forms lying unsecured in cubicles, even though military personnel are trained to keep all “personally identifiable information,” or PII, within sight or locked away.

“These forms were not being kept locked up,” he said. “They were just sitting in file boxes for years. For all I know, they’re still there.”

Mavalwalla said the breach is uniquely compromising for former military personnel, many of whom find work in the defense industry, some overseas.

“A lot of these folks get into defense contracting, and some of it’s pretty high-level stuff. For me, it’s easy to know I’m going to be living abroad, through public record, but if someone cross-referenced that with my clearance paperwork…yeah, that would concern me.”

Jessica, a former State Department diplomat who asked to be identified only by her first name, said she learned about the breach from a letter from Office of Personnel Management Chief Information Officer Donna Seymour. In the letter, she said, OPM offered $1 million in identity theft insurance for 18 months but declined to take responsibility for the attack.

“Nothing should be construed as OPM accepting liability,” Jessica said, reading from the letter. “We regret this incident.”

That stung, she said.

“It’s a little annoying that they say they’re not taking responsibility,” she said. “I acknowledge that hackers are very, very clever, and security, it’s always reactive. Someone will always come up with something new. People are good at this stuff. It’s just disconcerting that the U.S. government isn’t a little bit better at defending against it.”

Though she often works abroad, Jessica said she’s not so much concerned about any new threats to her safety; she’s more troubled by the violation of her privacy.

“Anything you’ve done that might be unsavory is in there. It’s an incredibly intense amount of personal information,” she said.

Jay, a State Department contractor who also asked to be identified only by his first name, isn’t panicking. He wasn’t the target, he said.

“This is espionage. This is trying to get blackmail material,” he said, adding that those who are actually at risk aren’t stateside contractors like himself, but diplomats, clandestine agents and other federal employees abroad who could have personal information leveraged against them.

He said the government should retaliate in kind, improving its defense by strengthening its offense. In the meantime, he said, he’s not too worried. His finances are in order, and he’ll keep one eye on his credit score. But he’ll be changing his passwords.

And so will I.

Morning Consult