Skip to footer

OPM hack: What criminal hackers can do with your personal data

Stolen medical and personal data are now more valuable than stolen credit cards because the information can be used for orchestrating sophisticated attacks on valuable targets. 

|
Gary Cameron/Reuters
An employee of the U.S. Office of Personnel Management departs the building during the lunch hour in Washington June 5, 2015. In the latest in a string of intrusions into U.S. agencies' high-tech systems, the Office of Personnel Management (OPM) suffered what appeared to be one of the largest breaches of information ever on government workers. The office handles employee records and security clearances.

The Office of Personnel Management hack is the largest ever breach of federal employee information and potentially the most damaging because of the type of data stolen.

Criminal hackers gained access to some 4 million records about current and former federal employees and potentially scores of Social Security numbers, employment histories, job performance reports, and training data.

It's this kind of information that can give cunning hackers the ability to commit identity fraud, construct sophisticated e-mail scams known as phishing attacks, and lead to even more damaging cyberattacks seeking higher value information. 

“It’s likely this attack is less about money, but more about gaining deeper access to other systems and agencies," said Mark Bower, a security expert with Hewlett-Packard. 

In fact, he said, some of this information could give criminal hackers the raw materials to construct targeted e-mail attacks with the aim of getting access to data about economic policy plans, military and defense data sets, or for committing intellectual property theft. 

Several media outlets have quoted anonymous officials and security experts saying the OPM hack was the work of China. Beijing officials have denied those claims.

While it didn't directly attribute this breach to China, the cybersecurity firm iSight Partners told Reuters that it linked the hackers behind the OPM attack to previous thefts of health records from insurance companies Anthem and Premera Blue Cross. Those breaches have also been linked to China.

If the OPM breach was indeed the work of state-sponsored hackers, it could be intended to contribute to a much larger cyberespionage campaign targeted at the US government. 

“It looks like they are casting a very wide net, possibly for follow-on operations or identifying persons of interest, but we’re in a new space here and we don’t entirely know what they’re trying to do with it," John Hultquist, the senior manager of cyberespionage threat intelligence at iSight, told The New York Times.

Similar to the value of personal data that could be obtained in the OPM breach, medical records also offer an attractive bounty to criminals looking to commit more targeted fraud or steal someone's identity. 

“When someone has your clinical information, your bank account information, and your Social Security number, they can commit fraud that lasts a long time,” Pam Dixon, executive director of the World Privacy Forum, told Monitor correspondent Jaikumar Vijayan in March after the Premera Blue Cross breach.

“The kind of identity theft that is on the table here is qualitatively and quantitatively different than what is typically possible when you lose your credit card or Social Security number.”

What's more, it often takes longer for victims to discover that medical data has been stolen than to realize that his or her credit card is being used. Consequently, medical data theft can lead to a variety of long-term problems including damaged credit, misdiagnosed illnesses, and unwarranted medical charges.

Personal data has become such a valuable commodity that it's outpacing stolen credit cards on the black markets. 

“It is not the value of credit card data that has fallen, it is that credit cards are not the shiniest object anymore," explains Richard Blech, chief executive officer of the cybersecurity firm Secure Channel, in an e-mail. 

"Hackers have simply discovered other valuable bounty can be stolen for the market, company secrets for espionage would be a good example,” he said.

Meanwhile, the number of incidents of hacking and data breaches in the healthcare industry is increasing. A 2014 report by the Identity Theft Resource Center demonstrated that health care accounted for 42.5 percent of cyberattacks last year, and the health-care industry consistently reported the highest number of breaches over the past three years.

A study released in May by the research group the Ponemon Institute revealed that more than 90 percent of healthcare organizations surveyed said they lost data, most of which was to cybercriminals.

Nevertheless, the increased frequency of these breaches may force those in charge of sensitive data to improve security measures.

Following news of the OPM breach, Rep. Adam Schiff, (D) of California, said, "It's clear that a substantial improvement in our cyber databases and defenses is perilously overdue.”

[Editor's note: The original story incorrectly identified Representative Schiff's state.]

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.
editor@csmonitor.com
Subscribe
Mark Sappenfield
Editor

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

Subscribe to insightful journalism

QR Code to OPM hack: What criminal hackers can do with your personal data
Read this article in
https://www.csmonitor.com/USA/USA-Update/2015/0605/OPM-hack-What-criminal-hackers-can-do-with-your-personal-data
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe