In one sense, the breach of some 4 million personnel records from the Office of Personnel Management earlier this year probably isn’t going to put the financial information of a lot of federal employees at risk. That’s the good news.
But the rest of the news is very bad. With a few exceptions, essentially every federal employee, especially those with high security clearances, is going to have to be looking over their shoulders for the rest of their lives.
The level of detail in that stolen data includes everything from background investigations to personal data about families and spouses, summer jobs and former home addresses. It is, quite frankly, a phisher’s paradise.
But it’s worse than even that. Federal officials assert that this is a nation-state cyber-attack carried out by China or its hacker proxies. If that’s the case, then it’s quite possible that Chinese intelligence agencies could mine the data via big data analysis to gather personal details to create believable and verifiable backgrounds for inserting spies into the U.S.
By tying together the personnel information, it should also be possible to use data analysis to develop lists of passwords and security answers to government systems as well as private systems.
But the threat doesn’t even end there. By tying the federal personnel records to the records stolen during the Anthem health insurance breach from a few months ago, those federal employees are now open to compromise and even blackmail. Anthem, as you may recall, is a major provider of health insurance for federal employees, including workers at agencies such as the CIA and the National Security Agency.
“They’re seeing who government employees are,” said Jerry Ferguson, a partner at Baker Hostetler’s privacy and data protection team. “They’re not doing that to file fake tax returns or steal credit cards. They’re trying to identify who key people are, so that if there were going to be a more serious attack, they could be cut off from the communications networks they participate in.
“This is a preliminary step toward other activity,” Ferguson said. “I think we’re seeing reconnaissance.” He said that he’s also seeing hackers break into industrial control systems, but only gathering information rather than changing anything, and then trying to hide their tracks. “It’s not going to stop there.”
“Now that they have access, they’re going to try phishing and social engineering,” said Saryu Nayyar, CEO of Curucul, a security identity analytics company. “They’re going to try to get access to sensitive data.” She added that because some of the personnel records the hackers got are for employees with high security clearances, some of them may have the authority to create identities for people with access to classified data.
On the other hand, it may be too early to be sure exactly what’s going to happen to the data that was taken from OPM. “Don’t leap to the conclusion that it’s the Chinese government,” former cyber-security czar Richard Clarke said.
Huge Federal Data Breach a Prelude to Even More Dangerous Exploits
Clarke said that while the breach has been traced to China, that doesn’t mean it was necessarily the Chinese government. He said that there’s a difference between what data they managed to access and what they took.
“I haven’t talked to anyone who said that they took any security clearance information,” Clarke said. He added that all we’ll know for sure until a thorough forensic analysis is complete is that they got some personally identifiable information.
Jean Taggart, senior security researcher at Malwarebytes, agrees. “Because of the data that was breached, everyone is pointing to possible involvement by nation-states,” he says. But unless the U.S. government says that was the case, it’s just not possible to make that assumption. In addition, Taggart wonders how anyone could have exfiltrated 4 million dossiers without anyone noticing, considering the bandwidth utilization.
While OPM has promised credit monitoring and identity theft protection for the affected employees, the reality is that those are the least of their worries. Instead, those federal employees will have to be on guard against social engineering attacks the likes of which they’ve never seen before.
The attackers will have the information they need to look like anyone in a person’s present or past. They will be able to weave convincing stories, some so good that the temptation to click on a link will be nearly irresistible.
In fact, this breach may result in some drastic measures on the part of federal IT managers, such as deactivating all embedded links in email so that they cannot be clicked on. But there is a lot more to phishing than just clicking on email links.
Because the stolen information includes addresses and phone numbers, these same employees will be subject to phishing phone calls and even fraudulent mail. These employees could be besieged by an unending flood of attacks from a number of sources.
And unfortunately, all it takes is one mistake by one employee to open the gates to even greater data theft. Clearly, the level of security needs to get higher, and it needs some fundamental change.
The whole idea that you can keep people out of a government-owned network is clearly false, but what needs to be done goes beyond perimeter defenses anyway. Now it’s time to view the whole network and watch for anomalous behavior.
The idea that you can protect the network itself is clearly wrong. As Clarke has said repeatedly, the bad guys are going to get in, so the best you can hope for is keeping them from getting anything that’s important.
Clarke suggests that one important change would be to stop using Social Security numbers as a basis for identification. “They have to stop,” he said. “They have to come up with some other method.” Meanwhile, Clarke wonders why OPM didn’t encrypt the data to make it useless if it was taken. “Why can’t you pass a law that you can only store in an encrypted database?”