The US government’s reputation regarding cybersecurity took another hit in June 2015 when authorities revealed that hackers had broken into databases at the Office of Personnel Management (OPM) and the Department of the Interior. The attack was one of the largest thefts of US government information in history.
Initially, the government stated that approximately 4 million former and current federal employees might have had their records stolen. However, upon further investigation, several news outlets reported that the number of potential victims totaled as many as 18 million people.
The data breach is especially devastating because of the type of information that was stolen. The OPM handles the overwhelming majority of background checks for the federal government, and has extensive information about applicants for federal positions. This highly sensitive information could be used to blackmail these people or target them for cyberattacks.
While the investigation is still ongoing, many experts believe that China is behind the attack. The Chinese government has denied the allegations, though it has been linked to similar incidents in the past. The massive data breach highlighted the US government’s ineffective defenses, but it was the authorities’ subsequent actions that showcased a controversial approach to cybersecurity.
The Initial Response
Shortly after the news broke about the attack, the government announced that it would provide 18 months of credit monitoring and identity theft insurance to anyone that might have been affected by the attack. The authorities also said that they would be working with CSID, a leading identity protection service provider.
These disaster recovery efforts hinged on a massive email campaign designed to reach out to potential victims. The government said that the messages would be sent from the email address firstname.lastname@example.org and that they would contain PIN codes that the recipients could use on CSID’s website.
This approach stunned several cybersecurity experts. They criticized the government for sending important information via email, and for publicly announcing the details of the email campaign. These high-risk actions increased the likelihood of future cyberattacks by inviting hackers to launch phishing attacks against federal workers and their families.
Phishing involves the use of email messages that are designed to look like they were sent from a legitimate organization. In this case, the organization would be the OPM, and the message would inform recipients that they would need to download an attachment or visit a website in order to sign up for the government’s free credit monitoring program.
If a recipient of this email were to download the attachment that contained malware, they would unknowingly infect their computer. The hacker would then be able to take over their machine, steal information, and spread malware to other computers. Similarly, if a target were to click on a link in the email message, they would be directed to a website controlled by the hacker, who would use it for the same malicious purposes.
By revealing the sender’s email address, the government made it easier for hackers to use phishing attacks by spoofing the address (making it look like an email is coming from the proper address but really coming from a different one) or using similar addresses. For example, many of the data breach’s potential victims would probably fail to notice that a fraudulent email was sent from email@example.com (an extra “s” in CSID) rather than the real firstname.lastname@example.org. The sheer number of recipients — represented by the millions of people affected by the OPM breach — means that if even a small percentage of people fell for the attack, it would still result in thousands of victims.
Experts have already seen an attack like this. Officials at the Redstone Arsenal in Alabama sent a memo to employees at the facility that warned about a phishing attack. The memo said that a fraudulent email message was sent to all Department of Defense workers. The message featured a subject line stating that it was an “important message from the US Office of Personnel Management,” and its sender was allegedly a chief intelligence officer from the OPM. The message told recipients to go to a hacker-controlled website, where they were instructed to hand over personal information.
How to Defend Against Phishing Attacks
Becoming aware of these threats is the first step toward countering them. Learn how to recognize fraudulent messages, and don’t open messages from senders that you don’t recognize. If you recognize a message’s sender, but it still looks suspicious, contact the sender to make sure that they actually sent it.
Avoid clicking on links in suspicious emails. Instead, manually enter the website in the address bar. If, for whatever reason, you want to click on a suspicious link, first hover your mouse cursor over the link to ensure that the URL is what you are expecting.
Never send out personal information by using an email message or a link that you’ve received in an email message. Large organizations, like a governmental or financial institution, will already have this information on file. Even if they didn’t, they would never use an email message to ask for it. Any email message that asks for this information should be marked as a phishing attack.
Your company’s cybersecurity strategy should include an employee training program that teaches staff members about phishing and other online threats. For more ways to prepare your company for the possibility of a cyberattack, contact the Total Cover IT Team.