International Hackers Target IRS, Federal Government, Exposing Security Holes

Nearly four million US government workers have had their personal data compromised by a daring breach into the Federal government’s Office of Personnel Management (OPM). Both current and past employees are affected, and there are fears that the breach may affect every federal agency.

Unlike the typical e-commerce industry breach which steals credit or debit credentials or a username and password breach at a well-trafficked site, the Federal breach hits more closely guarded, personnel information. The stolen records do not contain background checks and clearance investigations, but they do include information like job assignments, performance reviews and training those workers have taken.

Why did the hackers focus on such information? It’s hard to say exactly why, but signs point to a cabal of Chinese hackers, suggesting political espionage. Chinese officials have downplayed this claim.

“In the wake of the IRS Hack I keep hearing stories of data breach victims and the struggles they have gone through to clean up the aftereffects of their identity data being used fraudulently,” said Ryan Wilk, NuData’s Director of Customer Success. “Some of the stores have included the nightmare of trying to work with the IRS when you find your tax returns have been fraudulently filed, to financial fraud where credit cards or loans were taken out using the victims stolen identity, and E-commerce fraud where a victims identity is used to mask a fraudulent purchase. The IRS Hack not only solidifies this but expands it to show that the misuse of identity is the new general electronic fraud across all verticals. With this new knowledge, business not only need to verify that identity data fits from a PII verification perspective, but they also verify that the user behavior behind the machine is indicative of a valid user.”

This hack follows right on the heels of the IRS hack we spoke of last week, where over a 100,000 Americans had their identities used to scam over $50,000,000 in fraudulent tax refunds out of the IRS. The latest news is that the scam was the work of Russian hackers who used information from prior, unrelated data breaches that includes information like names, Social Security numbers and other details against the IRS’s “Get Transcript” tool. With those transcripts, they were able to file fraudulent returns before the deadline.

NuData Security has seen a 56% increase in account takeover attacks routed through China, and at 26% increase in attacks from Russian sources. When so many security systems still rely on knowledge-based authorization measures, and so many data breaches have released information that makes those measures effectively irrelevant, companies and governments cannot just offer free credit monitoring services as all they can do.

If the tactic works, thieves will hack into systems for information and then leverage it to break into systems with each more sensitive information. A credit card can be replaced, but a person will be forever shadowed by the threat of identity theft. Ditch inherently weak knowledge-based verification. User behavior analytics makes data breach information irrelevant because only the legitimate user can login.