How Bad are the Equifax and OPM Data Breaches?

Cybersecurity

The last two weeks have brought the term “data breaches” into the every day vernacular across the United States. As families take stock on what has occurred with their personal financial information, the universal reaction has been, “What does it mean to me or my family?”

In response to a readers’ queries on how the Office of Personnel Management (OPM) breach and the Equifax breach are similar or different, we will take a stab at explaining, without getting bogged down in the technical discussion, how the breaches occurred. Both were preventable and occurred because an adversary took their time, found weaknesses and then exploited those weaknesses.

behind the breaches – Who dunnit?

The Equifax breach is believed to have been a monetary crime, if recent “interviews” with the perpetrators can be believed. There was no nation state hand in the effort, though there may be nations lining up to buy the data to fill their targeting databases.

The OPM breach is believed to have been a nation state espionage effort. The jury is deadlocked on ultimate attribution, on whether or not it was carried out by a criminal entity, nation state surrogate, or a nation’s intelligence apparatus. What is not debatable, is the granularity of detail contained in the OPM breach.

What do they have?

The Equifax data breaches (two have been identified – March and July 2017) have exposed all publicly available data pulled together by a credit reporting entity.  As LA Times columnist Michael Hiltzik points out in his recent opinion piece, “the consumers whose information is on file at Equifax, Experian, and TransUnion aren’t those firms’ customers—they’re the product.” Court records, bank accounts, credit cards, investment accounts, debts and levies are all available within your credit report. In addition, your FICO score and who queried about your credit was also compromised.  The current number puts the number of individuals whose information was compromised at greater than 100 million.

The OPM breach, while smaller in size, is frankly magnitudes more damaging to an individual. Not only was the information contained in the SF-86 (120+ pages of attestation about one’s life from the first person perspective and sworn to as true and correct), but also the results of the background investigations (including interviews), and your credit reports as provided from the credit reporting agencies.

There have been a number of breaches which have exposed our personal habits, interests and voting records, and sexual preferences, lest we forget the 52 million members to Ashley Madison, of some of whom may have had a security clearance. If it was you, then factor it into the mosaic being used to paint the picture of your likeness.

Freely Available Information

And then there is the freely available information which can and is being scraped off the internet. You may recall in May 2017, we wrote of the RFP for contractors to conduct “Social Media Monitoring.” The contractors would be tasked with a scope far beyond what we traditionally know as social media. What they are monitoring is social activity on the web.

  • Social networks (examples include MySpace, Facebook, and LinkedIn)
  • Micro-blogging websites (examples include twitter and StumbleUpon)
  • Blogging and Forums websites (examples include WordPress, tumblr, and LIVEJOURNAL)
  • Pictures and Video-Sharing websites (examples include YouTube, flickr, and Flikster)
  • Music websites (examples include Pandora, lost.fm, and iLike)
  • Online Commerce websites (examples include eBay, amazon.com, and Epinions)
  • Dating Network websites (examples include match.com, eHarmony, and chemistry.com)
  • Geo Social Network websites (examples include foursquare, urbanspoon, and tripadvisor)
  • News and Media websites (example include the LA Times, CNN, and New York Times)

Now before you get your back up as to the intrusive nature of this “monitoring,” remember the purpose of the entire clearance process is to ensure the individual being entrusted with secrets can be trusted.

It would be both naive and irresponsible to think that a foreign adversary of the United States is not already collecting these items on a person of interest.  A good rule of thumb, if it is on the net, it is available for both the counterintelligence background investigative purposes and the offensive intelligence targeting purposes of an adversary.

In conclusion, those who had their information compromised in the OPM data breach just had the financial portions of that breach updated by the Equifax breach. The OPM data stores contained the credit report generated by one of the three big-three credit reporting companies. You’ve already weathered the greater of the two storms.

Christopher Burgess (@burgessct) is an author and speaker on the topic of security strategy. Christopher, served 30+ years within the Central Intelligence Agency. He lived and worked in South Asia, Southeast Asia, the Middle East, Central Europe, and Latin America. Upon his retirement, the CIA awarded him the Career Distinguished Intelligence Medal, the highest level of career recognition. Christopher co-authored the book, “Secrets Stolen, Fortunes Lost, Preventing Intellectual Property Theft and Economic Espionage in the 21st Century” (Syngress, March 2008).

More in Cybersecurity