After admitting the loss of 4m records a week ago the Office of Personnel Management (OPM) must
The story was first broken by the Associated Press and widely reported over the weekend by the BBC and others. It relies on anonymous sources who claim that the data stolen includes the security clearance forms submitted by intelligence and military personnel.
Standard Form 86 – a hackers El Dorado
Anyone who has served in the military will tell you, those forms are not to be taken lightly. According to a report carried by the BBC, the form in question is 127-pages in length and called the Standard Form 86. To get an understanding of what the form asks for, it can be downloaded from the OPM website.
The details asked for in the form are extensive. As well as extensive personal details the form gathers data about passports, travel history, finances, health, police record, use of illegal drugs, alcohol consumption, employment and military service history.
The data gathered is not just about the individual completing the form. As well as seeking information about family members and relatives it asks for data about “people you know well” and anyone you know who is “foreign” to be disclosed. You are required to disclose the data even if the other party objects.
In the wrong hands, the breadth and depth of the data makes it a simple task to commit ID theft. The estimates of the number of people exposed by this attack ranging from 4m to 14m, an air gap that is so broad it does nothing but spread fear and uncertainty.
ID theft not easily fixed
Perhaps the biggest challenge for those exposed to identity theft is that it is rarely a one-off situation. Let’s look at an example.
A family turn up at an airport to go on holiday. As they check in they are told that their passports are no longer valid. Within minutes the family holiday turns into a nightmare as it becomes clear their identities have been stolen. Over a period of several weeks the extent of the identity theft runs to hundreds of thousands of pounds and years of dealing with lawyers, banks, police and government officials to prove their innocence.
Eventually, after more than four years, things settle down and the family believes it is turning the corner. Then one day a call from a mobile phone company over a new contract is received and a family member discovers that their phone is not working. Inside a couple of days it is discovered that cybercriminals have taken out loans, phone contracts and even attempted to open bank accounts.
To make matters worse, the family had all the recommended identity protection measures in place such as credit alerts. In the second attack, the criminals had even set up additional identity protection measures in the name of a family member, something not spotted by the credit reference agencies.
A theoretical example? No. This happened to an individual who was willing to give me a brief outline of their situation when I was researching a separate story about identity theft. The worrying thing is that the attackers are using the information that they stole the first time around and apparently combining that with data gathered from later large scale data thefts.
For US military, intelligence and even government personnel, this is what they can look forward to. Not one breach but multiple breaches and not just for them, but for family members, relatives and even their contacts. Even if the hackers are apprehended, it is likely that the data will have been quickly sold on to maximise the profit and once out there, the damage is long lasting.
Blackmail and extortion an extension to identity theft
One of the bonuses to cybercriminals is that the data on Standard Form 86 can now be used to validate data stolen from other sources. As such, it won’t take long before inconsistencies in the information are discovered.
For example, the failure to disclose an old debt or default that may have been honestly forgotten can be used to threaten job security. Failure to report an overseas affair with a foreign national is another way that service personnel could be exposed.
All of that information is likely to be used to blackmail security contractors and even existing military personnel into passing on information, stealing weapons or providing access to facilities. This is not idle speculation. Across the world Military Police deal with this type of problem on a regular basis although much of the blackmail comes from gambling, alcohol and drug issues.
Cybercriminals dealing with foreign intelligence agencies
Intelligence agencies inside the US will have particular concerns over the loss of this data. Shortly after this story appeared, the BBC published another piece, this time based on a Sunday Times story (registration required). The Sunday Times reported that Russian and Chinese spies had begun decrypting data stolen by Edward Snowden.
The BBC then spoke to unnamed government sources who admitted that as a result of that decryption, it had been necessary to move agents. The same source also said that there was no evidence yet of anyone being harmed.
With the data taken in this new attack on the OPM it will not only be easier for foreign intelligence agencies, not necessarily just the Russians and the Chinese, to identify spies but also their families and contacts. This is more than just a case of quickly extracting spies but the long term safety of their families and relatives, especially if they were using those contacts as part of their job.
Conclusion
Despite the US talking of more investment in cyber warfare, this second attack is a major disaster for the US and one which it is unsurprisingly keen to play down. The long term implications for those whose data has been stolen goes far beyond the individuals and has implications for family members, relatives and anyone they have listed on the Standard Form 86.
What is now required is a root and branch overhaul of the way data is gathered and stored. Organisations such as the OPM which hold such detailed and sensitive data have to consider how they break up, encrypt and store this level of sensitive data.
More importantly, commercial organisations also need to heed this warning. Personnel records are rarely encrypted and companies receive CVs on a regular basis containing information that is sensitive.
Hopefully this will be a watershed in the storage of sensitive data.
