On the surface, last week’s data breach at the US Office of Personnel Management (OPM)might seem like just another cyber attack, similar to those at Target, Home Depot and many others. However, the ramifications of the OPM breach, allegedly perpetrated by Chinese hackers, are potentially more sinister.
Here’s what we know. In early May, data from the OPM and the US Interior Department was compromised. Personally identifying information from an estimated 4 million federal workers was stolen. But why was this particular agency targeted and what might the hackers do with the pilfered data?
The Nation-State Cyber Attack
Let’s start by looking at data breaches in general and nation-state cyber attacks in particular. Data breaches have well known short term and long term economic and political objectives. Many of the most sophisticated cyber attacks utilize nation-state technology to access databases that provide useful information – for governments and for private industries.
In the past, governments needed to field large numbers of spies, and exploit the entire gamut of human behaviors and weaknesses, to gain access to sensitive information. Think back to tales from the Cold War. Spies expended vast amounts of time and energy to build a portfolio of targets and gather their personal information. Now, with the Internet (and the subsequent rise of zero-day attacks and other advanced cyber threats), massive collections of personal information can be collected in minutes.
These new technologies are vastly more efficient than the old ways of gathering intelligence. They’re also safer in that they operate in full stand-off mode, with little to no consequences for the attacker. The common position of national governments is to not use military resources to protect commercial enterprises that are attacked in cyberspace. This well known position allows nation-state attacks to target commercial enterprises with impunity.
Why Medical Records are Targeted in Data Breaches
So if the data breach at OPM is truly at the hands of Chinese hackers, what was their objective? Thefts of personal data, such as medical records, are generally not financial frauds – like hacks that yield credit card information. Instead, they’re part of a more dangerous nation-state strategy.
As in any type of infiltration action, whether the goal is to steal intellectual property or gain other advantages in business, the more information you have about those whom you interact with, the higher your probability of success.
Medical records, in particular, are essential to nation-states seeking an understanding of the social graph between residents in a community. Having this data allows nation-states to launch more sophisticated phishing attacks. After all, it’s easier to craft credible deceptions using personal information that only a certain employee would normally know.
If you think about it, medical records are a treasure trove of personal information – and they’re typically not well secured. These records frequently point out lifestyle choices and peccadilloes that are useful for those seeking to extort others.
Hypothetically, if I was running a competitor to Amazon or Microsoft in another country, I would find the medical records of the executives at those companies very useful. And those could mostly be found at Premera Blue Cross. Similarly, breaking into Anthem Blue Cross would give me access to many of the medical records of those who lead the Silicon Valley empires.
Not coincidentally, medical records breaches often occur where major technology companies exist. There’s a clear line between the political objectives of a country and corresponding cyber attacks to gain personal information.