Major back-to-back breaches at federal agencies illustrate a vicious circle in cyberattacks: Personal information stolen in one breach is being reused to enable secondary breaches. Expect data stolen from OPM to be used elsewhere.
More bad news this week on the cyber front. The U.S. Office of Personnel Management (OPM) announced a breach of its systems has exposed personally identifiable information (PII) for as many as 4 million current and former government employees. And this probably is not the end. “Since the investigation is on-going, additional PII exposures may come to light,” OPM said in a statement.
This latest bad news from OPM (the agency was also breached last year) comes on the heels of an IRS breach that exposed tax records of more than 100,000 people, believed to be the work of Russian criminals.
These breaches illustrate a vicious cycle in cyberattacks: Personal information stolen in one breach is being reused to enable secondary attacks. And there might well be a link between these two incidents.
The breach of the IRS Get Transcript application that allows taxpayers to get copies of their tax returns was not sophisticated. Criminals simply used stolen PII to gain access to the system.
“It looks like a rerun of information from a secondary source,” said Tom DeSot, CIO of the security company Digital Defense. Get Transcript used a “challenge-response” authentication scheme requiring users to answer personal questions. The criminals probably used a script to automate the log-in process using stolen PII bought on the black market.
The data used in the IRS breach must have come from a source that included Social Security numbers, which probably eliminates breaches of retailer such as Target. Paul Martini, CEO of iboss Cybersecurity, suspects that the source might have been the Anthem health insurance breach reported in February. That one exposed the names, birthdates, SSNs and other information of nearly 80 million people.
According to reports, the same Chinese group is suspected in both the OPM and Anthem breaches. It is entirely possible that the Chinese hackers sold Anthem information to Russian gangsters, who used it to get U.S. tax records in order to claim fraudulent tax refunds.
This means that we can expect to see future breaches—or at least attempts—using the stolen OPM information.
Identity theft is an obvious threat, and OPM is offering free credit reports, credit monitoring and 18 months of commercial ID theft insurance (up to $1 million) to victims. But the OPM information could also be use used in espionage against other government agencies. Since OPM is the federal HR department, the stolen PII could be used to craft spear-phishing attacks that could breach other systems across government.
The lack of adequate cybersecurity in government systems is having a huge impact that goes far beyond the inconveniences to those whose information is being stolen. The IRS estimates it paid out $5.8 billion in fraudulent refunds in 2014. The tax data stolen this year is no doubt already being used to file more returns, and probably will be for years to come. Add to that the money OPM now is spending on providing credit monitoring and insurance. This is all taxpayer money.
On top of this, every breach of information undermines the integrity of other government systems, opening them to more attacks from criminals and nation states, threatening the nation’s security.
Every announcement of a data breach, both public and private sector, comes with a standard statement such as that from OPM Director Katherine Archuleta: “Protecting our Federal employee data from malicious cyber incidents is of the highest priority at OPM.”
If this really is the highest priority, these agencies, these companies, and everyone else who holds PII should be doing a better job of protecting it.