In early September credit reporting company Equifax revealed that the personal information – including Social Security numbers, birth dates, addresses and driver’s license numbers – of 143 million Americans was hacked and stolen by malicious actors.
This breach constituted one of the biggest exposures of Social Security numbers since the Office of Personnel Management breach in 2015, which contained the sensitive information of 21.5 million individuals that had either applied for a background investigation or were the spouse or co-habitant of someone who had.
Equifax did not return requests for comment on whether federal employees, specifically, were exposed, but the theft of those employees’ information can pose a national security risk not seen by the average citizen.
On the surface, federal employees face the same dangers as average citizens in the wake of a data breach: credit card theft, fraudulent tax returns, stolen identity, fraudulent medical records and others. But, according to experts, federal employees’ access to sensitive material poses another layer of danger in the wake of a data breach.
Though past breaches have proven that the information of federal employees is a prime target, few responsive resources exist for this demographic. However, pieces of recently introduced legislation are aiming to give victims greater advanced warning of exposure and provide federal victims with an advocate and resource in the wake of a breach.
“On the federal side, the bad guys could be trying to do the same thing: steal your credentials to gain access to more sensitive data that’s on the network versus what’s on the device,” said Bob Stevens, vice president of federal at LookOut, a mobile security and threat intelligence company. According to Stevens, this was one of the problems at the core of the 2015 OPM breach, as “credentials were stolen, which gave them access to the infrastructure to steal the data.”
Breaches within the federal government also pose greater danger to its employees than with other employers, as agencies have access to far more detailed information about their employees’ lives.
“A lot of federal government employees have a lot of sensitive information about themselves let alone the work that they’re doing … that they make available to the government,” said Rep. Anthony Brown, D-Md. “We know a lot more about our employees than perhaps the average employer does, and much of what we know, if hacked, if stolen, if lost or if breached, could put our employees at great risk.”
Feds as targets
Less than a month after the Equifax hack was revealed, Politico reported that White House Chief of Staff John Kelly’s personal cellphone had been potentially compromised for months, revealing the prime targets that the personal devices of high-ranking federal officials pose.
“Even though federal employees aren’t necessarily supposed to be accessing sensitive data with their mobile devices, I think in a lot of cases they are in order to make themselves more productive,” said Stevens, adding that higher-level individuals are likely to be targeted by nation states. “If I’m a bad guy and I know that you have two devices, it’s you that I’m targeting and the information that you have.”
White House Cybersecurity Coordinator Rob Joyce revealed that his own Social Security information has been compromised as many as four times, showing that even the most cybersecurity-conscious feds can become victims.
“On the nation-state side, I think they’re also looking for any type of sensitive data that may exist that they could use to gain advantage over the U.S. in some way,” said Stevens.
The OPM hack, for example, is widely believed to have been perpetrated by the Chinese government, placing those exposed in greater danger of nation-state blackmail or espionage than financial fraud.
“If they work for the government it might be a mechanism for blackmail. That’s something that’s always worried about. You could identify people, for example, that have a very bad credit rating,” said Rep. Jim Langevin, D-R.I. “That’s something that a foreign operative could use to approach them, target them and try to get them to do nefarious things for financial gain that would hurt the nation’s security.”
That information could be valuable for years after the breach occurs, and may be kept on standby until the free credit monitoring services offered to victims expire.
“It’s not an easy thing to correct,” said Rep. Rob Wittman, R-Va. “So, it’s simple to say, ‘Well, we’ll provide you identity theft protection,’ but if you’re going to do that for a short period of time, and then you advertise that, the people that have attacked and obtained your information know that that’s going to be a limited amount of time. I think there has to be a long-term and permanent effort in what they do to protect folks whose information has been hacked.”
According to experts, hackers can wait an average of a couple years before exploiting the breach information, though that time could be longer under certain circumstances.
“The usual post-breach chain is as follows: The attackers offer the information for sale within the criminal underground, and the various purchasers (other criminal groups) start to attack those users and perpetuate fraud against them,” said Mike Murray, vice president of security research at LookOut. “Sometimes that happens quickly (usually in the case of credit card theft because cards can be reissued quickly) or more slowly (for example, health-care breaches). But the knock-on effects of fraud against the breached data usually perpetuate for a year to 18 months, at least.”
“You won’t know if your identity has been compromised for, possibly, it could be 10 years,” said Kim Allman, director of government affairs at Symantec, referencing the 10 years of identity restoration, identity insurance and identity and credit monitoring services offered after the OPM breach. “We see more often than not it’s three to five years. They’ll sit on this information.”
The OPM Cybersecurity Resource Center also warns about phishing campaigns that can be perpetrated on leaked information and the increased potential for hackers to guess account passwords based on that information.
According to Stevens, LookOut sees spikes in phishing activity after these breaches occur.
Defining response needs
Though both the Federal Trade Commission and OPM have provided guidance on how citizens should respond to breaches of their personal information and identity theft, problems still remain within the system for addressing fed-specific problems.
“There is a patchwork of laws across the states on how to deal with breaches and different state laws on credit freezes, versus credit monitoring, versus locks, and I think there’s a lot of misinformation for consumers,” said Allman.
Langevin introduced a bill in September called the Personal Data Notification and Protection Act of 2017 that would implement breach notifications standards through the FTC and give that agency control over when a company must notify consumers.
“I think it just makes more sense to have one federal standard and let everyone know what their responsibilities are,” said Langevin.
The responsibilities of federal agencies for advising their employees in the event of a data breach also are not clearly defined. Federal Times reached out to OPM to discover what guidance they issued to employees in the wake of a breach, and was referred to the FTC’s resources.
The FTC referred Federal Times to their resources for consumers on the Equifax data breach, which they said would also apply to federal workers affected by breaches. These resources include blog posts on the recent Equifax breach, as well as resources on what to do and actions to take when one’s information is stolen. None of these resources are federal employee specific, however.
According to Rep. Brown, there is not consistency between agencies in the resources or responses they provide to employees in the wake of a breach.
“When a breach is known to have occurred, then maybe some agencies step up and maybe try to provide information to employees about what an appropriate response is and what they can do to minimize their exposure or their risk, and there may very well be agencies that don’t do that at all,” said Brown, who recently introduced legislation titled the Cyber VICTIM Act that would create a position within the federal government to coordinate victim response.
“It creates a cyber-victim coordinator who will provide information and counseling – counseling in the sense of guidance – in what to do in the event your records, your information is hacked,” said Brown. “And then there’s also a requirement that the coordinator develop a plan for Congress on what the responses will be to cybersecurity incidents in terms of supporting the federal workforce.”
Wittman, who is a sponsor of Brown’s bill, added that he hopes to get OPM officials back in front of committees to go over exactly what has changed since the 2015 hack occurred.
“Those individuals, based on the jobs that they do and their efforts, I think, are extraordinarily vulnerable,” said Wittman. “And I think that we have an obligation to ensure that our federal workers have both the support and assistance they need in an event that their information is gained through one of these cyberattacks and their personal information is compromised.”
Jessie Bur covers federal IT and management.