OPM hack: What criminal hackers can do with your personal data

Stolen medical and personal data are now more valuable than stolen credit cards because the information can be used for orchestrating sophisticated attacks on valuable targets. 

An employee of the U.S. Office of Personnel Management departs the building during the lunch hour in Washington June 5, 2015. In the latest in a string of intrusions into U.S. agencies' high-tech systems, the Office of Personnel Management (OPM) suffered what appeared to be one of the largest breaches of information ever on government workers. The office handles employee records and security clearances.

Gary Cameron/Reuters

June 5, 2015

The Office of Personnel Management hack is the largest ever breach of federal employee information and potentially the most damaging because of the type of data stolen.

Criminal hackers gained access to some 4 million records about current and former federal employees and potentially scores of Social Security numbers, employment histories, job performance reports, and training data.

It's this kind of information that can give cunning hackers the ability to commit identity fraud, construct sophisticated e-mail scams known as phishing attacks, and lead to even more damaging cyberattacks seeking higher value information. 

Why many in Ukraine oppose a ‘land for peace’ formula to end the war

“It’s likely this attack is less about money, but more about gaining deeper access to other systems and agencies," said Mark Bower, a security expert with Hewlett-Packard. 

In fact, he said, some of this information could give criminal hackers the raw materials to construct targeted e-mail attacks with the aim of getting access to data about economic policy plans, military and defense data sets, or for committing intellectual property theft. 

Several media outlets have quoted anonymous officials and security experts saying the OPM hack was the work of China. Beijing officials have denied those claims.

While it didn't directly attribute this breach to China, the cybersecurity firm iSight Partners told Reuters that it linked the hackers behind the OPM attack to previous thefts of health records from insurance companies Anthem and Premera Blue Cross. Those breaches have also been linked to China.

If the OPM breach was indeed the work of state-sponsored hackers, it could be intended to contribute to a much larger cyberespionage campaign targeted at the US government. 

Howard University hoped to make history. Now it’s ready for a different role.

“It looks like they are casting a very wide net, possibly for follow-on operations or identifying persons of interest, but we’re in a new space here and we don’t entirely know what they’re trying to do with it," John Hultquist, the senior manager of cyberespionage threat intelligence at iSight, told The New York Times.

Similar to the value of personal data that could be obtained in the OPM breach, medical records also offer an attractive bounty to criminals looking to commit more targeted fraud or steal someone's identity. 

“When someone has your clinical information, your bank account information, and your Social Security number, they can commit fraud that lasts a long time,” Pam Dixon, executive director of the World Privacy Forum, told Monitor correspondent Jaikumar Vijayan in March after the Premera Blue Cross breach.

“The kind of identity theft that is on the table here is qualitatively and quantitatively different than what is typically possible when you lose your credit card or Social Security number.”

What's more, it often takes longer for victims to discover that medical data has been stolen than to realize that his or her credit card is being used. Consequently, medical data theft can lead to a variety of long-term problems including damaged credit, misdiagnosed illnesses, and unwarranted medical charges.

Personal data has become such a valuable commodity that it's outpacing stolen credit cards on the black markets. 

“It is not the value of credit card data that has fallen, it is that credit cards are not the shiniest object anymore," explains Richard Blech, chief executive officer of the cybersecurity firm Secure Channel, in an e-mail. 

"Hackers have simply discovered other valuable bounty can be stolen for the market, company secrets for espionage would be a good example,” he said.

Meanwhile, the number of incidents of hacking and data breaches in the healthcare industry is increasing. A 2014 report by the Identity Theft Resource Center demonstrated that health care accounted for 42.5 percent of cyberattacks last year, and the health-care industry consistently reported the highest number of breaches over the past three years.

A study released in May by the research group the Ponemon Institute revealed that more than 90 percent of healthcare organizations surveyed said they lost data, most of which was to cybercriminals.

Nevertheless, the increased frequency of these breaches may force those in charge of sensitive data to improve security measures.

Following news of the OPM breach, Rep. Adam Schiff, (D) of California, said, "It's clear that a substantial improvement in our cyber databases and defenses is perilously overdue.”

[Editor's note: The original story incorrectly identified Representative Schiff's state.]