NEWS ANALYSIS: The only good news from the breach of 4 million Office of Personnel Management records is the hackers weren't going after anybody's credit card numbers.
In one sense, the breach of some 4 million
personnel records from the Office of Personnel Management earlier this year probably isn't going to put the financial information of a lot of federal employees at risk. That's the good news.
But the rest of the news is very bad. With a few exceptions, essentially every federal employee, especially those with high security clearances, is going to have to be looking over their shoulders for the rest of their lives.
The level of detail in that stolen data includes everything from background investigations to personal data about families and spouses, summer jobs and former home addresses. It is, quite frankly, a phisher's paradise.
But it's worse than even that. Federal officials assert that this is a nation-state cyber-attack carried out by China or its hacker proxies. If that's the case, then it's quite possible that Chinese intelligence agencies could mine the data via big data analysis to gather personal details to create believable and verifiable backgrounds for inserting spies into the U.S.
By tying together the personnel information, it should also be possible to use data analysis to develop lists of passwords and security answers to government systems as well as private systems.
But the threat doesn't even end there. By tying the federal personnel records to the records stolen during the Anthem health insurance breach from a few months ago, those federal employees are now open to compromise and even blackmail. Anthem, as you may recall, is a major provider of health insurance for federal employees, including workers at agencies such as the CIA and the National Security Agency.
"They're seeing who government employees are," said Jerry Ferguson, a partner at Baker Hostetler's privacy and data protection team. "They're not doing that to file fake tax returns or steal credit cards. They're trying to identify who key people are, so that if there were going to be a more serious attack, they could be cut off from the communications networks they participate in.
"This is a preliminary step toward other activity," Ferguson said. "I think we're seeing reconnaissance." He said that he's also seeing hackers break into industrial control systems, but only gathering information rather than changing anything, and then trying to hide their tracks. "It's not going to stop there."
"Now that they have access, they're going to try phishing and social engineering," said Saryu Nayyar, CEO of Curucul, a security identity analytics company. "They're going to try to get access to sensitive data." She added that because some of the personnel records the hackers got are for employees with high security clearances, some of them may have the authority to create identities for people with access to classified data.
On the other hand, it may be too early to be sure exactly what's going to happen to the data that was taken from OPM. "Don't leap to the conclusion that it's the Chinese government," former cyber-security czar Richard Clarke said.