Why This Breach is Different
In early June, the Office of Personnel Management (OPM) reported that personally identifiable information (PII) belonging to 4.2 million former and current federal employees was stolen in a cyber attack (this number is still being revised higher). In the course of investigating that theft, OPM discovered additional systems were also breached. The OPM website said it “discovered that additional systems were compromised. These systems included those that contain information related to the background investigations of current, former, and prospective Federal government employees, as well as other individuals for whom a Federal background investigation was conducted.”
How is this Different?
Lest we get complacent hearing about yet another data breach, the OPM attack that went after personal data is believed to be different. Instead of criminals going after information that can be easily monetized or sold on the black market, such as credit card data or social security numbers, the criminals are probably after information that can be used to break into more secure computers and get access to classified information.
It is probably “about gaining deeper access to other systems and agencies,” said Mark Bower, global director of HP Security Voltage product management, so that the hackers can go after military, economic or foreign policy plans.
“Theft of personal and demographic data allows one of the most effective secondary attacks to be mounted: direct spear-phishing,” continued Bower. The act of spear phishing thrives on familiarity via email. The disguised criminal appears to know a little about the target. Because the email seems to come from someone a person knows, the target may be less vigilant and give out the information they ask for. If that happens, cyber criminals could gain access to deeper systems via credentials or malware “thus accessing more sensitive data repositories as a consequence”.
“Beyond spear-phishing, knowing detailed personal information past and present creates possible cross-agency attacks given job history data appears to be in the mix,” he said. “Thus, it is likely this attack is less about money, but more about gaining deeper access to other systems and agencies which might even be defense or military data, future economic strategy data, foreign political strategy, and sensitive assets of interest at a nation-state level for insight, influence and intellectual property theft.”
“These attacks, now common, bypass classic perimeter defenses and data-at-rest security and can only realistically be neutralized with more contemporary data-centric security technologies adopted already by the leaders in the private sector,” Bower said. “Detection is too late. Neutralizing data breach is possible today through data de-identification technology.”