If personnel records of nearly 22 million did indeed land in the hands of China, as widely reported, the threat lies squarely with U.S. national security and the protection of sensitive government data, not the identities of federal employees.
That is, despite the reasonable fears expressed by the federal workforce, China is not out to open credit card accounts with the personal information stolen from the OPM breach, said Joe Ross, president and co-founder of CSID. The company is charged with providing identity theft protection to the 4.2 million federal employees affected by the first OPM breach detected.
But the data is valuable just the same – particularly when combined with the biometric information stolen as part of the second breach involving more than 20 million records.
"If it was a government entity that gathered the knowledge they're going to use it," Ross said in a Thursday interview with Federal Times about the implications of the breach. "It gives another inroad into another government entity. Maybe [a system requires] two-factor [authentication] with a biometric. Well, now they have a fingerprint."
Related
Report: China builds 'Facebook of human intelligence'
The OPM Data Breach: What You Need to Know
Here's how it could go: An enemy state could combine a fingerprint of a federal employee with personal information – social security number, date of birth, and so forth – as well as personal details gathered via social engineering to crack a login password.
"With individuals doing so much on social media, it's easy," said Ross, who added that CSID has not been tapped by OPM to provide fraud prevention for those impacted by the second breach. "What most don't realize is when they have a child and [post] 'welcome to the word,' well I now know [your daughter's] date of birth. And her grandmother commented on it, so I know [your] mother's maiden name. And you list your high school, so I now know your mascot. Those are the security questions [often] asked in two factor authentication," which in turn allows a hacker to either identify or change a password to log into a government system.
And therein lies the biggest threat of all.
"The agencies have to worry about the same thing the private sector worries about – it's trade secrets, it's IP, it's information we don't want getting out," Ross said. "That's where the focus is. What can we do to protect the information? It's not just OPM. We need to go beyond OPM and ensure the rest of the agencies have safeguards in place."
Check back to FederalTimes.com in coming weeks for more stories and videos from our extensive interview with CSID's Joe Ross.
Jill Aitoro is editor of Defense News. She is also executive editor of Sightline Media's Business-to-Government group, including Defense News, C4ISRNET, Federal Times and Fifth Domain. She brings over 15 years’ experience in editing and reporting on defense and federal programs, policy, procurement, and technology.
