Cyber Breach Much Worse Than Reported

US Government OPM Cyber Breach Much Worse Than Reported

The much publicized breach at the US government Office of Personnel Management (OPM) in May this year was much more serious than initially reported, in terms of the number of people affected, the quality of information breached, as well as the probable cost to American taxpayers.

While the breach was widely publicized shortly after it occurred, were revealed in a recent quarterly report released by NTT Group security company Solutionary. Our report published last week outlines the most prevalent types of cyber attack, as well as the most commonly identified forms of malevolent activity worldwide that were contained in the 22-page report. It also drew attention to the fact that more Malware attacks occur in the US than in any other country in the world.

The OPM breach is covered in some detail in the second quarter Solutionary report. Ultimately, it states that this Government breach won’t just affect people at this point in time, but it will also affect others in future, and is likely to impact on the integrity of any background investigation processes relating to millions of people for the next 10 to 20 years.

OPM is going to have to increase its identity threat protection services, and according to the report, will cost US taxpayers in excess of $220 million. Furthermore, these services won’t cover every taxpayer.

Extent of the OPM Breach

 

When the OPM breach was first discovered, the number of people said to be affected was four million. This figure quickly rose to 22 million, though the Solutionary report states this is probably a very misleading figure. The issue is that the records accessed were not only those of government employees, but also included personal data about family members and even friends, and so the number of people affected is likely to be closer to 132 million, and even this could be conservative. However the authors of the report state it will probably never be known just how big the breach was, but it is likely to have been “the biggest loss of private information ever.”

And it’s not just about numbers, but rather the “quality” of data that was accessed. The breach involves 127-page forms that require a huge amount of information, from names, addresses over the last 10 years, schools attended, social security numbers, passport numbers, financial statements and health statements. In a nutshell the information covers what you would expect to find in a combination of bank, employment, medical and school records.

While OPM hasn’t confirmed whether FBI, NSA, and CIA forms were classified or protected sufficiently to have escaped the breach, there is a possibility that they weren’t; and if not, someone with “malevolent intent” could do a lot of damage. Unfortunately, the report states, there is not way to know whether individuals at these government agencies are compromised or not, and it could take 10 to 20 years to find out.

Cost of the OPM Breach

The “real costs” associated with the OPM breach relate primarily to credit protection services the government has offered 4.2 million victims via the identity theft protection company, CSID for 18 months. An additional 22 million people will probably receive similar service – with costs likely to amount to an additional $200 million. High risk, as well as critically and specially sensitive individuals will also have to be vetted again to ensure they are in fact trustworthy. While it is not known how many people will be affected, based on the OPM charge of $4,000 for a “single scope background investigation,” if only 20 percent of the 22 million need to do this, it will cost another $18 million.

These costs don’t include lost services or any costs that could be incurred if or when victims are compromised further at a later stage.

This may not only be the biggest loss of sensitive information ever, but it may very well ultimately rank near the most expensive,” the report states. Further, since OPM isn’t the US federal government’s largest agency, and since the breach was discovered by accident, if these same levels of control are in place at larger agencies, the potential for similar breaches is very real.

By Penny Swift

Kokumai

How to Enhance Security of Digital Identity

Enhance Security of Digital Identity Introduction The subject of this article is a fragile digital identity built with a weak password, which makes a grave choke point of the cyber age. The word ‘password’ is ...
Ramanan GV

Establishing a Unified Governance Model for the Digital Workforce

Increase visual control and reduce OPEX by 30% The Digital Service Providers (DSPs) are riding an automation wave. Painful manual tasks, which burdened staffs for ages, can now be easily handled by the software bots ...
David Shearer

Looking Back – and Looking Forward to 2020

As we celebrate our thirtieth anniversary here at (ISC)², it’s incredible to look back at the changes our industry has been through. From advances in technology, to changing policy and regulations, this field is constantly ...
Episode 4: The Power of Regulatory Compliant Cloud: A European Case Study

Episode 4: The Power of Regulatory Compliant Cloud: A European Case Study

An interview with Johan Christenson, CEO of CityNetwork With the world focusing on the big three hyperscalers, there is still room – and much necessity for – more local cloud providers who are better suited ...
Trust Report

Profit-Driving Strategies for 2020, Backed by Data

Profit-Driving Strategies Since 2019 is coming to a close, the time has come for businesses to evaluate what they can do to propel profits in 2020. The vast array of possibilities can make an enterprise's ...
Juan Pablo Perez Etchegoyen

7 Security and Compliance Considerations for Cloud-Based Business Applications  

Security and Compliance Considerations There’s no doubt on-premises deployments of mission-critical business applications provide more control over data as it resides within the four walls of an organization’s network infrastructure. However, businesses can no longer ...