The U.S. Office of Personnel Management has just disclosed that hackers compromised what one would expect to be among the world’s most secure databases to steal sensitive information relating to some 4 million current and former employees.
Without divulging specifics, authorities are pointing the finger at hackers in China, according to media reports. The FBI has launched an official probe.
Malicious activity was detected in April, and the Department of Homeland Security affirmed last month that OPM’s data, which is stored in a shared facility at the Department of Interior’s data center, was compromised.
Another Day, Another Breach
Two big takeaways jump out of this latest high-visibility data breach disclosure.
First, the scale and scope of breaches has risen to a pitch where disclosing 4 million victims seems almost routine. In the granddaddy (thus far) of data breaches, Target reported losing financial transaction records for 110 million customers in 2014, followed by Home Depot, which saw data from 56 million credit and debit cards exposed. This year, health insurance companies appear to be under heavy assault, with Anthem losing records for 80 million employees, customers and partners, and Premera Blue Cross losing records for 11 million people.
Still, these latest victims aren’t 4 million garden-variety consumers. They’re federal employees, including some with high security clearances. If the attack was motivated by nation-state cyber warfare imperatives, the collateral damage could be profound and lasting.
“This will call into question every government employee, since this information can be used by nation states and terrorists to identify and target those employees in order to gain access to sensitive environments and data,” says Eric Chiu, co-founder and president of cloud-security vendor HyTrust.
Kevin Epstein, vice president of advanced security and governance at Proofpoint, adds that simply having a current roster and knowing the chain of command in a federal agency is of high value to social-engineering specialists.
“It provides attackers with additional leverage to further penetrate targeted organizations,” Epstein says. “Phishing that comes from authorized managers and contains private details to legitimize the communication is far more likely to succeed in tricking the recipient into enabling malware or revealing proprietary information.”
Whoever stole the data is now in a great position to conduct cross-agency attacks, says Mark Bower, product management global director at HP Security Voltage.
“It’s likely this attack is less about money and more about gaining deeper access to other systems and agencies, which might even be defense or military data, future economic-strategy data, foreign political strategy, and sensitive assets of interest at a nation-state level,” Bower says.
If Feds Can’t Keep Data Safe, Who Can?
The second big takeaway is that if Uncle Sam’s human resource honchos can’t keep data thieves at bay, what chance do tens of thousands of small and midsize companies have to defend the small, but valuable, caches of data they each possess?
Along with the financial-services sector, big federal agencies have been in the vanguard of testing and buying the latest security technologies. Yet, in hack after major hack, the same lessons manifest. Technology alone isn’t the answer. A security mindset must permeate an organization from top to bottom. And that approach remains the exception, not the rule, in both the private and public sectors.
Small and midsize businesses are under intense attack. Cyber criminals can run automated attacks carried out by tens of thousands of infected computers assembled in powerful botnet armies.
Since the intrusion, OPM has beefed up its network security. But the hackers will likely adjust. OPM had previously been the victim of a cyberattack, as have various federal government computer systems at the State Department, the U.S. Postal Service and the White House.
“This breach should give all citizens massive concern,” says Richard Blech, CEO of encryption technology vendor Secure Channels. “The speed and velocity with which stolen data proliferates through the hacker black market means this data likely has already been exploited. New detecting and alerting tools mean nothing if the data is still stolen. The goal should be to leave data useless to the hacker when stolen.”
More on Identity Theft:
- How Can You Tell If Your Identity Has Been Stolen?
- What Should I Do If I’m a Victim of Identity Theft?
- How Credit Impacts Your Day-to-Day Life