By now everyone has heard about the data breach that hit the Office of Personnel Management (OPM). The breach has potentially exposed personally identifiable information (PII) and even extensive biographical data of up to four million federal employees, including members of federal law enforcement, active duty military, political appointees, and security clearance holders assigned to sensitive national security positions within the Defense Department and Intelligence Community. A government source said this could be one of the largest ever thefts of government data. Informed speculation points to Chinese hackers as the culprits behind the breach, though the Chinese Embassy in Washington is denying involvement. Below, we’ll break down the facts about this breach and its potential implications.
Who and why?
The attack on OPM is not surprising; the organization – as well as the data that it maintains – has been in the crosshairs for years. Similar remote access attacks against OPM targeting PII and detailed personal information of federal employees are well documented, including the 2014 attacks directed against contractors USIS and Key Point Government Solutions. Other recent attacks attributed to China targeting the same information includes the 2014 breach of the U.S. Postal Service; the hack of the U.S. Nuclear Regulatory Commission; and the attack on the National Oceanic and Atmospheric Administration.
The implication of suspected state-sponsorship and China in particular is not surprising given the immense value PII and biographic data can have from an intelligence standpoint (in addition to traditional cybercrime such as identity theft). As the custodian of federal employee records, OPM is a treasure trove of information that foreign security services covet. Information such as detailed personal history, including previous addresses going back 10 years, names and addresses of foreign relatives and other close associates, and current state of financial health would all serve as key blueprints in the development of tailored campaigns targeting specific people or networks for exploitation.
Is this breach linked to Anthem and Premera?
There has been much speculation that China was behind the Anthem and Premera health data breaches as well. When you take into account that Anthem is also the health insurance provider for U.S. government agencies and defense contractors, it would be a safe (and correct) opinion to conclude the breaches are probably related. Still, is there irrefutable proof right now that China was behind these hacks? Like in most cases relating to attribution, not exactly and not yet. However, experts at one firm point to striking similarities between the techniques used in all three hacks, with the finger pointing at China.
What’s the point?
The disturbing conclusion here is that with this attack and the others that preceded it (and that will most certainly come after it), nation-states can have the ability to methodically piece together complete dossiers of people using the array of medical, privacy, personal, and financial data they exfiltrate. While having immense value from a traditional cybercrime standpoint, the strategic goal is likely something bigger and more devastating. Unfortunately, that part is probably yet to come.