The largest data hack in government history could leave some troops at risk of having their personal information exploited or exposed.
Current and former federal employees began receiving troubling emails from the executive Office of Personnel Management on Monday, notifying them that their personal information was compromised in a massive data breach made public earlier this month. Up to 4 million people may have been affected by the breach, which federal officials said they believe is linked to a Chinese cyber attack.
Media outlets reported that FBI and Secret Service officials, and even cabinet secretaries, may have been victims of the breach. It’s not clear, though, how many active-duty or former troops may be among those affected.
Samuel Shumach, an OPM spokesman, did not say how many service members were estimated to be among the victims, but clarified that the vulnerable are a very specific population.
“No active-duty service member or contractor data was exposed in this incident unless an individual has previous federal civilian service,” he said, adding those affected would be notified between June 8 and June 19 on a rolling basis.
But for troops who fall into this category — particularly those with security clearances — the dangers of having pirated information exposed may be especially high.
Paul Rosenzweig, founder of the homeland security consulting company Red Branch consulting and a senior adviser to The Chertoff Group, said he worried that private information in security clearance questionnaires might be used by a foreign government to blackmail troops and other clearance holders into compromising actions.
“All your overseas deployments, who you know, how you spend your money, prior bad acts, embarrassments ranging from affairs to drug use,” said Rosenzweig, listing information he believed might come to light through the data breach. “… I hold a security clearance myself and I’ve been sitting here thinking of a half-dozen things I haven’t told my wife.”
Though all the sensitive information in the forms was known to the government, there was the risk, he said, that clearance holders might wish to withhold certain facts from spouses or loved ones.
But Andrew Borene, a cybersecurity expert with the Truman National Security Project and a former Marine intelligence officer, said it was unlikely the data could be used for effective blackmail.
“The [forms have] a lot of data, but it lines up with public records anyway,” he said, adding that the questionnaires aren’t used to list prior indiscretions or embarrassments that might otherwise be hidden.
A more threatening prospect, he said, was the potential that stolen information could be used to perpetrate fraud against service members.
Marine Corps Staff Director Maj. Gen. James Laster warned troops to be alert following the data breach in a June 5 announcement that focused on fraud and identity theft risks. He encouraged affected Marines to take advantage of free credit monitoring services and identity theft insurance provided by OPM, and to brush up on existing Corps policies regarding online safety habits and information sharing.
“Our commandant would like for this information and mitigation measures to be shared with all personnel down to the lowest level possible throughout your commands and organizations,” he wrote.
Borene said troops should be on the alert for sophisticated “spear phishing” techniques in which hackers use personal information to create personalized emails that appear to be from a boss or someone else the hacking victim knows.
“If anything looks suspicious, check with the person you know,” he said. “If you mouse over a link to a URL and it shows you the address and the address doesn’t match, that would be something not to open.”
Borene and Rosenzweig agreed the incident should push federal officials to improve security practices and to take the prospect of cyber attacks more seriously.
“There is no question that the federal government as a whole, including Congress, really needs to wake up to the immediacy of cyber threats,” Borene said.
He recommended that Congress move to authorize executive agencies to better collaborate with the private sector in order to safeguard information into the future. The net result of the data breach could be positive, he said, if it were taken seriously.
“It might do good things for operational security across the Pentagon if large numbers of clearance holders became concerned,” Borene said. “It might help to raise individual awareness about responsibility.”
If there is stolen personal data that could be used for blackmail, Rosenzweig suggested that the military branches reach out to clearance holders and inform them that they can disclose any threats they receive to the government with no negative consequences. Those targets would likely include more senior troops with more authority and status, he said. And if it is a coordinated enemy attack, Rosenzweig said, the impact may be felt for decades.
“To me, if it’s the Chinese, it’s going to play out over the next 30 years,” he said.