June 8, 2015
On Thursday, the White House disclosed that the data network of the U.S. Office of Personnel Management (OPM)—the federal government’s human resources department—had been breached, compromising sensitive data on as many as four million current and former U.S. government employees. According to reports, the compromised system contains employment records and information regarding security clearances dating back to 1985.
Officially, the White House said it is “not clear” who is responsible for the attack, which was discovered in April, but reports have indicated that it is likely the work of the Chinese government. According to Reuters, investigators also have linked the OPM attack to high-profile breaches at healthcare providers Anthem and Premera Blue Cross .
If the Chinese are, indeed, behind the latest hacks, consumers may be better off than they were in the aftermath of some of the big breaches in 2014 from which the personally identifiable information (PII) of consumers across the country was monetized by thieves in various fraud schemes. State-sponsored cyberattacks are different—more threatening from a national security standpoint, but perhaps less likely to result in fraud affecting the bottom line of consumers, retailers and issuers.
“State-sponsored attacks are more focused on intelligence gathering. This can include everything from government weapons systems to new commercial technological advances,” said Brian Hussey, global director of Incident Response & Readiness at Trustwave. “They also are interested in targeting PII but often use it as fodder for spear phishing attacks. In other words, they will use the PII to specifically craft social-engineering attacks with real victim information, thus increasing the likelihood of success. State-sponsored actors may also target small businesses but that is frequently used as a ‘hop-point,’ or a data aggregation server where they collect stolen data and forward it back to their home country. This technique allows them to obscure to where the data is actually taken.”