Folder with images

A Black Market ‘Facebook’ Being Compiled by China to Leverage US Government Employees

A recent Fox News report warns that China is assembling a dossier of information more complete and more private than any Facebook account on government employees after consolidating stolen data from multiple breach sources.

The extensive breach of the U.S. Office of Personnel Management saw the leak of over 20 million current and former employees’ most personal data, containing medical records, addresses, dates of birth, job and pay history, health and life insurance, pension details, and even demographic data. Frightening, isn’t it?

News of the OPM breach continues to develop, including the most recent news that 5.6 million fingerprints were also stolen in the attack, five times more than previously stated. And unlike things like Social Security numbers that can be replaced, fingerprints are the kind of biometric measure that can be stolen and can’t be replaced. All of this leaked data is in addition to data already taken, compromising a significant amount of personal information thanks to the use of the 127-page Standard Form 86, a.k.a. the SP-86, used when assessing candidates for National Security Positions.

Security experts have been warning that they’ve seen an increase in Chinese hacking attempts of sensitive sites like the OPM, in line with what NuData’s own investigations has also seen in the last three months. Taking information stolen from that hack and adding it to data stolen in breaches like the Antham and Blue Cross hacks, China is able to build up a robust database of information for nefarious purposes, profiling individuals they could then either impersonate or influence. A source for Fox News referred to the combined pool of data as, “a private version of Facebook with much more detail about your life than even Facebook has that the Chinese now have access to.”

There is concern that not only could this private directory of US government employees be used to embarrass, coerce or even impersonate staff, but that the data could filter down and affect the children and families of those affected by the breach. The stolen fingerprints are also worrying, putting field operatives at risk of discovery. Even outside of government espionage, the information they are gathering has a financial component. The more complete these profiles are, the more damaging the potential fraud.

It is easy to understand why the stolen fingerprint is worrying — biometrics are usually hailed as the ultimate measure, but physical scans like a fingerprint or a retina scan can be replicated. Ryan Wilk, in a recent interview, said, “Spoofing fingerprints is no longer something from a sci-fi movie. It is happening and will increase more as cheaper tools make their way onto the Dark Web.”

Behavior-based biometrics, however, can’t. The way we hold a phone, how fast we type, even the way we navigate a website can all be measured and create an un-stealable, un-spoofable profile. Moving to a system with a behavioral cornerstone means that the kinds of hacks perpetrated by the Chinese become less valuable to steal and less useful when trying to leverage other systems.