Following are excerpts from a CRS report about the potential ways the stolen personal data on federal employees could be misused.
There have been suggestions that information exposed in the breaches “could be useful in crafting ‘spear-phishing’ e-mails, which are designed to fool recipients into opening a link or an attachment so that the hacker can gain access to computer systems.”
In addition to being used by nation states, a trove of data from breaches such as those at OPM can provide a number of avenues for criminals to exploit. For instance, compromised Social Security numbers and other personally identifiable information (PII) may be used for identity theft and financially motivated cybercrime, such as credit card fraud. However, experts have been skeptical as to whether compromised information from the OPM breaches will even appear for sale in the online black market. When cybercriminals have tried in the underground markets to pass off other stolen data as that coming from the OPM breaches, this has been debunked, and the stolen data were shown to have come from other sources. The lack of stolen OPM data appearing in the criminal underworld has led some to speculate the breaches were more likely conducted for espionage rather than criminal purposes. Nonetheless, even if data were stolen for non-criminal purposes, they could still fall into criminal hands.
While discussion about the stolen fingerprint information has been limited, analysts have begun to question how this data could be used. Some have speculated that if the fingerprints are of high enough quality, there may be “acutely negative long-term consequences for individuals affected and their future use of fingerprints to verify their identities.” Depending on whose hands the fingerprints come into, they could be used for criminal or counterintelligence purposes. For instance, they could be trafficked on the black market for profit or used to reveal the true identities of undercover officials. Also a concern is that biometric data such as fingerprints cannot be reissued—unlike other identifying information such as Social Security numbers. This could make recovery from the breach more challenging for some.
Reports have emerged indicating that OPM had attempted to take over the administration of Scattered Castlesthe intelligence community’s (IC’s) database of sensitive clearance holders—and create a single clearance system for government employees. Although the IC refused out of concerns of increased vulnerability to hacking, news reports allege that some sharing of information between systems was underway by 2014. U.S. officials have denied that Scattered Castles was affected by the OPM hack, but they have neither confirmed nor denied that the databases were linked.
If the IC’s database were linked with OPM’s, this could potentially help the hackers gain access to intelligence agency personnel and identify clandestine and covert officers. Even if data on intelligence agency personnel were not compromised, the hackers might be able to use the sensitive personnel information to “neutralize” U.S. officials by exploiting their personal weaknesses and/or targeting their relatives abroad. Access to the IC’s database could also reveal the process and criteria for gaining clearances and special access, allowing foreign agents to more easily infiltrate the U.S. government.
Some in the national security community have compared the potential damage of the OPM breaches to U.S. interests to that caused by Edward Snowden’s leaks of classified information from the National Security Agency. Yet the potential exists for damage beyond mere theft of classified information, including data manipulation or misinformation. While there is no evidence to suggest that this has happened, hackers would have had the ability, some say, while in U.S. systems to alter personnel files and create fictitious ones that would have gone undetected as far back as 2012. Another concern is the possibility for data publication, as was done with the Snowden records. Dissemination of sensitive personnel files could damage the ability of clearance holders to operate with cover, and could open them up to potential exploitation from foreign intelligence agents.
