Is the OPM Data Breach Data Being Used for Identity Theft?

Cybersecurity hacker

Earlier this week the Washington Post led with a story about how Kariva Cross and others had pleaded guilty to aggravated identity theft and other charges. Other news outlets also reported how information associated with the Office of Personnel Management (OPM) background investigation breach of 2015 was used in the execution of a number of financial crimes against the Langley Federal Credit Union, where member’s identities were used to acquire fraudulent loans. All of the news reports fail to confirm how exactly that data was acquired, and why the OPM hack is associated with the criminal complaint.

A reading of the indictment and the statement of facts wasn’t any more illuminating regarding the OPM data being instrumental in the identity theft. As this is the second instance where a prosecution has referenced the OPM data, a quick outreach to the spokesperson for the Eastern District of Virginia was made.

The result of my inquiry?

I was pointed to paragraph six of the “Statement of Fact”

As we all know,  words are important.

What this paragraph doesn’t say is that the OPM breach data was used. It tells us that the victims of identity theft were also victims of the breach, and resided in the state of Colorado.

What neither the court documents, nor our inquiry resolved is what was the source of the information which these criminals had in their possession?

The China question?

Is the DOJ sending signals to China, signals that may be too subtle?

Perhaps it is indicative that three years after the original breach the Chinese have given the green light for the original hackers to monetize the theft of millions of background folios?

Coincidence?

Or perhaps it is simply coincidence that the victims of identity theft who used this particular federal credit union were also victims of the OPM hack. Those whose data was breached by OPM have faced a number of other breaches in the years since.

Credit reports are a part of every background check corpus of information on an individual being reviewed.  Equifax has been hacked, and that affected over 100 million individuals, some of which no doubt were also included in the OPM hack. Equifax information has already been found being offered for sale on the “dark web” retail sites.

Perhaps the Anthem hack of 2015 was the source of the information. Anthem lost data on more than 79 million individuals carrying Federal Blue Cross Blue Shield coverage. That corpus no doubt also included a number of individuals who had their information also compromised in the OPM hack.

The Eastern District of Virginia’s reticence in sharing the source of the information leveraged by the criminals is understandable. Why should they point future criminals to a harvestable source of information?

What should we do as individuals?

Absent any precise information, OPM hack victims should proceed as normal – and that is, with caution. Those who safeguarded our data were themselves victimized, and their solution was to provide “identity monitoring” service for a period of time. None have offered a lifetime of monitoring. Instead, they comment that time between theft and utilization is normally within 12 months, no longer applies.

Freeze your credit report. In this manner, no financial instruments can be opened in your name without your involvement in the transaction. The three credit reporting agencies in the US – Equifax, Experian and Transunion  – are permitted, in some states, to charge you a fee for this service. Many states are passing legislation which prohibits such charges, so make sure you check with your state’s Attorney General’s office.

Christopher Burgess (@burgessct) is an author and speaker on the topic of security strategy. Christopher, served 30+ years within the Central Intelligence Agency. He lived and worked in South Asia, Southeast Asia, the Middle East, Central Europe, and Latin America. Upon his retirement, the CIA awarded him the Career Distinguished Intelligence Medal, the highest level of career recognition. Christopher co-authored the book, “Secrets Stolen, Fortunes Lost, Preventing Intellectual Property Theft and Economic Espionage in the 21st Century” (Syngress, March 2008).

More in Cybersecurity