On Thursday, Newsweek published what they claim is an exclusive story centered on Chinese hackers that have penetrated an untold number of FBI personnel files in a data breach with "potentially dangerous national security implications."
The story moves on to say that the extent of the FBI penetration is unknown, but it's quick to claim that it's being reported "for the first time."
The key point of evidence supporting Newsweek's claims are these passages:
An FBI source told Newsweek he was notified by OPM in May that his personnel file had been penetrated by hackers in the same Chinese intrusion.
"This is the second notification that I've been breached," the veteran agent said on the condition of anonymity. "They got me through Anthem Blue Cross, now they have me through OPM. I think of the 17 million they have on file, they're only notifying 4 million. But I was notified last month."
Asked whether the entire FBI workforce of over 36,000 agents and support personnel had been compromised, the agent responded: "I don’t think so…. but it's pretty ugly. I guess [OPM staff] outsourced some of their software to a Chinese company. Unfortunately I don't think anyone's going to be fired like they should be."
Any penetration of the FBI could have "mind-boggling" effects, he said, "because there are counterintelligence implications, national security implications."
The security person in me is screaming.
Just because a single FBI agent got a letter from the OPM warning them about the breach, doesn't mean the FBI as a whole was hacked. Even if all the agents got a similar letter, you still can't make that claim.
But if you really want to stretch things, then not only was the FBI hacked, so was every other agency in the government. Why? Because the OPM breach is now estimated to have impacted some 12 million people.
Not only is the Newsweek story FUD in its purest form, it's inflammatory.
The article isn't that long, but whenever possible, China or Chinese hackers are referenced. That's because anonymous sources have pointed the finger at China, but no official – ON THE RECORD – sources have confirmed that attribution.
In reality, no one knows who hit the OPM. For all we know, it was someone in Iceland using a really, really slow 3G connection. Then again, maybe it was Russia – pretending to be China. Perhaps it was an army of squirrels.
Yes, the security person in me is screaming, but the journalist and editor in me just wants to cry.
Articles like the one published by Newsweek are exactly the reason why security reporters can't have nice things. Stories like this is why we're almost universally hated and untrusted by the InfoSec community.
Then again, who am I to let simple facts get in the way of ad revenue generating headlines like Newsweek's: "Exclusive: Chinese Cyberthieves Hack FBI in Dangerous Breach"
The story is linked above, but here is an archive in case it goes away.
As I said before, a breach notification letter doesn't mean much. Often they're sent to people even if their data wasn't compromised, because the law requires it.
In the case of the OPM and Anthem breaches, assuming the agent in question did in fact have their PII exposed, this in no way translates into the entirety of the FBI being compromised. This is a serious factual error.
If a person at company X got a breach notification letter, this doesn't mean that all of company X was hacked. It never has, and never will. Until today, I'd have bet good money that there was no way this sort of conclusion would reach wide circulation – and then Newsweek went to print.
Writing that the "extent of the FBI penetration [...] is unknown" doesn't save this story at all. It's pure speculation, based on sensationalism and false conclusions.
Even the FBI agent who sparked the story said they didn't think the entirety of the FBI was compromised – sending the article's entire premise crashing and burning to the ground.
How does someone (reporter or editor) covering the security beat not know what a breach notification letter is, or what one means? How does that happen?
There have been so many breaches in the last five years, that the basics of a notification letter and what actually counts as a breach should be second nature to those of us who cover this space.
It should be, but clearly it's not.
So as the title states: No, Virginia, the FBI was not hacked by China. Newsweek got it wrong.