Why Credit Monitoring Fails to Address the Real Threat Facing Hacked Feds
State-sponsored breach was probably never about financial information, experts say.
In response to what was one of the largest data breaches in American history, the Office of Personnel Management has offered 4 million current and former federal employees free credit monitoring and identity theft insurance.
That approach may completely miss the mark, experts say.
Media reports and now lawmakers have said that state actors -- likely from China – appear to be behind the attack, rather than individuals looking to exploit employees’ financial information. Credit monitoring, therefore, is a nice offer but one that is unlikely to protect federal employees from their adversaries’ true intentions.
“Credit reporting is lip service,” said Richard Blech, CEO of Secure Channels Inc., a cybersecurity firm that provides encryption technology and authentication services. “It means nothing.”
Ken Ammon, chief strategy officer for Xceedium, a network security company that contracts with the government and commercial enterprises, said credit monitoring is fine as a “first step,” though it serves more to protect the infiltrated organization legally than it does the individual from bad actors.
Experts refer to the hack as “cyber espionage,” rather than “cyber crime.” Individuals that illegally obtain data such as Social Security numbers and addresses can use that information for identity theft as it relates to credit card information, for example, but state actors do not hold those same interests.
“The reason [federal employees] are a prime target is not about just getting into credit card data or something like that,” Blech said. “That’s not [the hackers’] interest.”
If hackers were looking to commit financial fraud, there would be no need to specifically target the federal workforce, according to Pam Dixon, CEO of World Privacy Forum, a nonprofit organization that researches and educates the public on technology and security issues. They could easily access that information on the dark Web, she said.
Instead, she added, the hack was very thoughtfully carried out, and the victims were intentionally targeted. “It’s a very clever attack for that reason I think it’s a particularly dangerous attack.”
One way affected current and former federal employees could feel the impact is on their home devices, Dixon warned. With all the information the hackers have gathered from the hack, it would be easy to gain “back-door” access to their victims’ computers, mobile phones and tablets. Any government work conducted on those devices could then be available to the hackers, Dixon said.
“It’s about your work documents and what might be flowing from work life,” she said.
Another threat for federal employees could stem from a hacker using their credentials to gain access to a federal network. Once that occurs, Blech said, the employees could be “dragged into a legal morass” to prove they were not responsible for the nefarious activities.
“Once your identity is taken and used,” he said, “it’s hard to undo that.”
Hackers will specifically target those with privileged access to government networks, Ammon said. Those who carried out the attack can use the information from it to make phishing emails seem even more realistic. Employees can be coerced into providing information without realizing they are being coerced, which can in turn lead to a blackmail situation.
Those who receive notifications their personal data was compromised should use the opportunity to upgrade their personal systems, Dixon said. The simplest solution? Getting a new computer, as the older the machine is, the easier it is for hackers to penetrate. They should also invest in firewall protections and keep a careful eye out for phishing emails for years to come (even the credit monitoring service the government did offer is only for 18 months).
Blech added the bigger problem now is for federal agencies to improve their own systems, and to ensure the information on them is encrypted. OPM has said its systems have been upgraded since the hack took place, although even the most sophisticated government detection tool would not have been able to detect the attack in real time.
Ammon also said the individual’s ability to protect the network is limited, and the government should focus on limiting the amount of information available once a hacker gains access to its networks.
“You’re not going to be able to give advice to people that bears any fruit,” he said. “That worked for Nigerian financial scammers.”
He adds: “We’re dealing with nation-states here. You’re not going to be able to tell the difference” between a real email and a scam.
(Image via scyther5 / Shutterstock.com)