On the surface, last week’s data breach at the US Office of Personnel Management (OPM) might seem like just another cyber attack, similar to those at Target, Home Depot and many others. However, the ramifications of the OPM breach, allegedly perpetrated by Chinese hackers, are potentially more sinister.
Here’s what we know. In early May, data from the OPM and the US Interior Department was compromised. Personally identifying information from an estimated 4 million federal workers was stolen. But why target this particular agency? And what might the hackers do with the pilfered data?
The Nation-State Cyber Attack
Let’s start by looking at data breaches in general and nation-state cyber attacks in particular. Data breaches have well known short term and long term economic and political objectives. Many of the most sophisticated cyber attacks utilize nation-state technology to access databases that provide useful information – for governments and for private industries.
In the past, governments needed to field large numbers of spies, and exploit the entire gamut of human behaviors and weaknesses, to gain access to sensitive information. Think back to tales from the Cold War. Spies expended vast amounts of time and energy to build a portfolio of targets and gather their personal information. Now, with the Internet (and the subsequent rise of zero-day attacks and other advanced cyber threats), massive collections of personal information can be collected in minutes.
These new technologies are vastly more efficient than the old ways of gathering intelligence. They’re also safer in that they operate in full stand-off mode, with little to no consequences for the attacker. Not using military resources to protect commercial enterprises from cyber attacks is the common position of national governments. This well-known position allows nation-state attacks to target commercial enterprises with impunity.
Why Medical Records are Targeted in Data Breaches
So if the data breach at OPM is truly at the hands of Chinese hackers, what was their objective? Thefts of personal data, such as medical records, are generally not financial frauds – like hacks that yield credit card information. Instead, they’re part of a more dangerous nation-state strategy.
As in any type of infiltration action, whether the goal is to steal intellectual property or gain other advantages in business, the more information you have about those whom you interact with, the higher your probability of success.
Medical records, in particular, are essential to nation-states seeking an understanding of the social graph between residents in a community. Having this data allows nation-states to launch more sophisticated phishing attacks. After all, it’s easier to craft credible deceptions using personal information that only a certain employee would normally know.
If you think about it, medical records are a treasure trove of personal information. These records frequently point out lifestyle choices and peccadilloes that are useful for those seeking to extort others.
Hypothetically, if I was running a competitor to Amazon or Microsoft in another country, I would find the medical records of the executives at those companies very useful. Breaking into Anthem Blue Cross would give me access to many of the medical records of those who lead the Silicon Valley empires.
Not coincidentally, medical records breaches often occur where major technology companies exist. There’s a clear line between the political objectives of a country and corresponding cyber attacks to gain personal information.
By Philip Lieberman, President and CEO, Lieberman Software
Mr. Lieberman is an astute entrepreneur able to perceive shortcomings in the cyber security market, and fill those gaps with innovative solutions. He developed the first products for the privileged identity management space, and continues to introduce new solutions for this burgeoning security field.