Publication / DecodeDC/ Scripps
June 18, 2015
View Article

What can be done with stolen OPM data?

Range of options for perpetrators

WASHINGTON, D.C. – The recent data breach at the Office of Personnel Management might have gone beyond Social Security numbers and personal addresses and included private – potentially embarrassing – information found in security background checks.

The question is, what do the hackers plan to do with the data now that they have it?  The answers range from selling Social Security numbers and other personal data on the dark web for as little as a dollar each, to using the information to spread lies, tarnish reputations, engage in blackmail and conduct additional targeted hacking.

“If you look at the motives of different types of attackers, criminals are almost always looking for something they can monetize like credit cards, or information they can use like identity theft. Nation state hackers are typically interested in intellectual property and espionage like government plans and information,” said Chris Wysopal, a chief security expert and CTO at Veracode, a private application security company.

The OPM attack has been linked in news reports to China and by members of Congress to China. That suggests that the mission is not monetary gain.

“If it’s nation state attackers,” Wysopal said,  “I assume it will be more phishing style attacks to compromise someone’s home network—getting the information of someone’s family members and them. So I think of [the hack] as a really sophisticated precursor attack to getting at something that is really more of the ultimate target of the hack.”

That ultimate target, of course, is unknown, and OPM has not confirmed which files were stolen in the security breach.

What is known is that OPM is responsible for completing almost 90 percent of employee background checks for people trying to receive security clearances. That means hundreds of pages of documents on each applicant could have been stolen.

The central personnel data file of each federal employee held by OPM typically contains up to 780 distinct pieces of information, reports say. The breach also could include information on family members and acquaintances employees  mentioned in their security clearance applications.

“It’s likely this attack is less about money, but more about gaining deeper access to other systems and agencies,” said Mark Bower, a security expert at Hewlett-Packard told the CS Monitor.

Bower said the information collected could give hackers the materials needed to send virus-ridden emails to targeted employees, or be use for phishing scams aimed at gaining further access to economic policy plans, military and defense data or to even steal intellectual property.

Former chairman of the House Intelligence Committee Mike Rogers said last week that Chinese intelligence agencies have for some time been attempting to assemble a database of information about Americans. In addition to using the data to build spyware he worried that the data they could also be used for blackmail.

“It just looks like they are building up this big dossier of powerful people in the government, of people who had gotten their security clearances who do have elevated access to information,” Wysopal said.

“It looks like it’s information that can really be used to target individuals and it could be taken to the level of blackmail. People are worried because there might be secrets there that individuals don’t want to let out about their lifestyles and personal health and the health of their family members.”

To date, Congress has been unable to pass concrete cyber security bills that would address some of the issues facing the private and government industries.

In the Senate last Thursday, Democrats blocked a Republican effort to add a cyber security bill to the National Defense Authorization Act. The vote was 56-40, four votes short of the number needed.

So far this year 36 bills were introduced in Congress that deal with cyber security in some way. None have passed.

But for some, last week’s breach was an eye opener that clearly showed the need for legislation–even if the bill simply enhanced sharing and vigilance between government agencies—a tactic many including the Obama administration has supported.

“The last few months have seen a series of massive data breaches that have affected millions of Americans,” Rep. Adam Schiff, D-Calif, said in a statement following the OPM breach. “It’s clear that a substantial improvement in our cyber databases and defenses is perilously overdue.”