OPM Data Breach: What Needs to Happen Now


Given that OPM handles records for federal employees, including those obtaining security clearances, the damage can potentially go beyond financial crimes.

Dr. Fengmin Gong is the co-founder and chief strategy officer at Cyphort.

I was still pondering on some stats reported by Farai Chideya in the article, “Your data is showing: breaches wreak havoc while the government plays catch-up” published on firstlook.org, when I got hit by the disclosure of the 4 million record breach at the Office of Personnel Management. I felt the urgency to share some thoughts.

Offering free credit monitoring is not very useful for many victims, because you never know when and how most of the exposed records will be used. A couple by the name Rochelle and Paul found that “someone’s opened a PayPal Credit account in Paul’s name and charged $682 from a place called Modern Coin,” two weeks after their record was exposed in the Anthem breach. Do you think the credit monitoring service would have caught this timely and prevented the loss?

At the same time, the breach expense for a company may look big from SEC filing perspective (for loss claim, maybe), it may not hit its pocket hard enough to spur real action. When it comes to compensatory litigation, what reaches the individual victims is even smaller.

According to this article, Target incurred more than $250 million in breach-related expenses, the portion going to a victim (unless you can show you suffered clear damage) is less than $1 per person from a proposed class-action settlement; after insurance reimbursement and tax deductions, the net loss to Target is equivalent of 0.1 percent of its 2014 sales.

Although we do not yet have a lot of details on the breach at OPM, a few things are clear, in comparison to breaches at Target, Home Depot, Sony, Anthem, etc.

The Similarities

This breach is also massive, involving 4 million individuals’ personal information. It happened in a government office similar to those involving the IRS and other state government offices. Reportedly, the attack originated from China, bearing some similarity to the Sony attack in terms of foreign entities. However, the reported breach of 25,000 DHS workers’ private files would sound even more similar to this breach with records of federal employees in security sensitive jobs as the target.

The Differences

Given that OPM handles records for federal employees, including those obtaining security clearances, the damage can potentially go beyond financial crimes. A lot of these identities are linked directly to activities and entities dealing with state secrets and national security matters. Most of the other breaches were not known to have the luxury of seeing attacks from supposedly the same country a year earlier, but OPM did. And yet, the breach of 4 million records still occurred before it’s detected by EINSTEIN? This is a more serious alarm saying someone may be either sleeping at the wheel or not doing things right, and neither is acceptable.

The Implications

This breach has many serious implications beyond the fix of offering employees free credit monitoring. If this attack is nation-state espionage, would you expect they will try to apply for a new credit card and just go on a shopping spree? What about the safety and security of those federal employees? Could they become the target of spear-phishing or blackmail? What more can the bad actors learn from the 4 million records through big data analytics? This is one occasion I sincerely hope the government has taken a lot of mitigation steps.

Simple lessons to consider:

Do it now: Work on implementing an effective defense posture if you have not yet done so.

Follow the right approach: If you think you have been at it for a while, ask what you are not doing right. For example, are you watching access to all your critical assets (full coverage and visibility), are you watching it all the time (continuous monitoring, diagnostics and mitigation)? Do not assume attacks are coming from any one particular attack vector (full kill-chain detection).

Adopt best practices: Pick a tool that best implements the above approach and verify the detection efficacy in real deployments. The tool should scale to cover your complete IT environments from the physical to the virtualized. It should enable ecosystem defense with threat intelligence sharing in mind and allow easy integration into your business and IT workflow with APIs. Ask what specific methods the tool uses to deal with evasive modern threats, e.g. infection via social engineering and spear-phishing, multilayer code packing, obfuscation, encryption, armoring against sandboxing. Proof is in the pudding: verify the performance in your own deployment testing.

Still in doubt? Get some external help.

(Image via wk1003mike/ Shutterstock.com)