Since the breach was disclosed in June, the response to the compromised background investigation files and a separate intrusion into personnel data of 4.2 million people has focused mainly on the risk of identity theft.
For example, a contractor for the Office of Personnel Management is offering credit monitoring and identity theft protection to the group of 4.2 million active and former federal employees. Another company scheduled to be hired in August is expected to offer the same services for a longer stretch for the larger group of more than 21 million people whose background investigations were compromised.
But the research service, in a July 17 brief that has not been made public by the research service, underscores widespread speculation that “the OPM data were taken for espionage rather than for criminal purposes” and says the theft of sensitive employee records could go way beyond credit card fraud.
“…A trove of data from breaches such as those at OPM can provide a number of avenues for criminals to exploit,” the report said. Identity theft and financially motivated cybercrime (like credit card fraud) are possible outcomes of the hack. But CRS cautions that “experts have been skeptical as to whether compromised information from the OPM breaches will even appear for sale in the online black market.”
Some national security experts have compared the potential damage from the OPM hacks to Edward Snowden’s leaks of classified data from the National Security Agency. CRS says the recent hacks have even greater potential for damage “beyond mere theft of classified information.” The hackers could alter personnel files. They could create fictitious ones. They could publicize sensitive personnel files and open them up to potential exploitation from foreign intelligence agents.
Of the two different OPM networks that were breached, the employee database contains records such as Social Security numbers, salaries and promotions. The sensitive security-clearance data includes fingerprints and extensive health, personal and financial histories. The information belongs to those who work for the government, used to work there and, in the case of the background investigations, contractors and those who applied for government jobs.
The research service concluded that criminal charges against the Chinese are unlikely because the breach falls into a category of counterintelligence: “The OPM breach so far appears to be seen in the category of intelligence-gathering, rather than commercial espionage.”
Over the past year and a half, the United States has moved aggressively against foreign governments accused of stealing the corporate secrets of major companies. But the response to intrusions targeting government-held data has been more restrained. The research services noted that Director of National Intelligence James R. Clapper Jr. and others have even expressed grudging admiration for the OPM hack, saying U.S. spy agencies would do the same against other governments.
So far, the stolen employee data has not appeared in what researchers calls the “criminal underworld,” further evidence that the data was hacked for purposes of spying.
CRS says that if the fingerprints in the background investigation files are of high enough quality, “depending on whose hands the fingerprints come into, they could be used for criminal or counterintelligence purposes.”
Fingerprints also could be trafficked on the black market for profit — or used to blow the covers of spies and other covert and clandestine officers, the research service found. And if they’re compromised, fingerprints can’t be reissued like a new credit card, the report says, making “recovery from the breach more challenging for some.”
This news will likely be cold comfort to federal employees who are waiting for the government to offer them credit monitoring and other protections, and to lawmakers and employee unions that are pushing for lifetime credit monitoring: It may not do much.