Chinese hackers steal 4M federal personnel records: Here’s what the breach means for insurance

Latest OPM cyber attack highlights growing need for cyber insurance.

June 05, 2015 | By Patricia L. Harman,

The latest high profile cyber attack involves over 4 million records of former and current government workers.

The U.S Office of Personnel Management said Thursday that it recently became aware of an incident where the records had been breached, including names, addresses, birthdates and social security numbers. From June 8 through June 19, OPM will be sending e-mails to the individuals whose personally identifiable information was compromised. The office says e-mails will come from and will contain information about credit monitoring and identity theft protection services available to those affected by the breach.

According to its website, OPM is offering credit monitoring services and identity theft insurance with CSID, a firm that specializes in identity theft protection and fraud resolution. Individuals will receive, at no cost, a comprehensive, 18-month membership that includes credit report access, credit monitoring, identity theft insurance and recovery services.

“Monitoring credit histories seems woefully inadequate in the wake of the scope of this breach,” says Yanai Z. Siegel, director of operations for Your House Counsel. “The issue may become whether centralizing all such records into a single widespread network has become a greater risk, and whether better data record practices such as data encryption generally, [and] splitting records up into multiple databases so that more sensitive information is separated (and separately encrypted)” offers greater protection in the event of a system compromise.

OPM battles 2.5B attacks each month

Concern is data could be used to target workers with sensitive information who could be subjects of traditional blackmail tools.

OPM said it receives approximately 2.5 billion attacks in an average month. According to the FBI, Chinese hackers are believed to be behind this latest attack, which follows an attack by North Korea on Sony, and Russian attacks on the White House, State Department and the IRS. In February, health insurer Anthem revealed that close to 80 million of its records had been hacked.

“Governmental agencies are particularly vulnerable to cyber-attacks because: (1) they have the data bad guys want (including financial and health information); and (2) budgets and expertise for data security are far lower than at private sector companies,” explains privacy lawyer Bruce Raymond CIPP/US of Raymond Law Group LLC, a privacy boutique.

The information stolen can be used to create new identities or at the very least apply for credit cards and other forms of credit such as opening bank accounts. Winston Krone, managing director of Kivu, a national technology firm specializing in the forensic response to data breaches and proactive IT security compliance, says “the government should act to make social security numbers, a government creation, less valuable to cyber thieves by mandating multi-factor authentication in credit applications and IRS transactions.”

Read the full article here