The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: 'A wake up call.' OPM data stolen years ago surfacing now in financial fraud case

with Bastien Inzaurralde


It has been four years since hackers stole personal information from 22 million people through the Office of Personnel Management, and only now are we seeing concrete evidence that the data is being used in financial crimes.

A woman admitted in federal court this week that she used the identities of OPM breach victims to take out fraudulent loans through a federal credit union, as my colleague Rachel Weiner and I reported. It appears to be the first criminal case involving OPM data that the Justice Department has publicly disclosed.

The revelation could give new momentum to legislation seeking to provide better protection to the federal employees, retirees and others whose personal information was stolen from two government databases in 2014, and spur lawmakers to consider broader safeguards for victims of similar compromises.

“It’s a wake-up call,” said Rep. C.A. Dutch Ruppersberger (D-Md.), who has floated a bill to give lifetime identity-theft protection to victims of the breach. “You have a person who somehow got that data and information … and she’s trying to use false information to enhance herself. The good news is, we caught her. But there are many out there we haven’t found.” 

According to court records, the woman was part of a group that used OPM data to take out car and personal loans at Langley Federal Credit Union in the names of the victims, then cashed loan checks or got wire transfers from the accounts they set up. She pleaded guilty Monday in federal court in Virginia to conspiracy to commit bank fraud and aggravated identity theft. Another defendant in the case admitted to the same charges last week.

Ruppersberger’s legislation, called the Recover Act, would apply to any current, former and prospective OPM employees whose data was compromised in the breach. Currently, OPM is required to offer identity theft protection coverage only through 2026.

That's clearly not enough, said Ruppersberger, who introduced the bill last month with Rep. Eleanor Holmes Norton (D-D. C.). 

“Now that this information is out there it could be used 10, 15 years from now,” he told me. “The OPM breach was one of the biggest that we had in our government network, and a lot of our government employees were impacted. This [case] is an example of how serious this issue is.”

Chris Wysopal, chief technology officer at the cybersecurity firm CA Veracode, agreed that at the very least the victims would need lifetime credit monitoring “given the long tail” of the OPM hack. The hackers stole troves of personal information with “about as rich of a data record as you can get,” Wysopal said. 

The huge heist included information such as Social Security numbers and past addresses, but also security-clearance files containing extensive details about friends, family, relationships and finances for a range of highly sensitive government jobs. U.S. officials have linked the hack to China — though they haven't formally attributed it to the government — and a Chinese national was accused in California last year of using the malicious software deployed in the hack.

How exactly the identity thieves got ahold of OPM information isn’t clear. According to court records, one of the people whose identity was stolen told investigators his or her personal information had been compromised in the hack on OPM, but a spokesman for the U.S. District Court for the Eastern District of Virginia would not elaborate on how the thieves may have accessed it.

Wysopal said it was unlikely that the people charged in the case had anything to do with the original OPM breach. He said the data could have surfaced in marketplaces on the “Dark Web,” where criminals could have purchased it for as little as $20 to $30.

No matter how they got it, the type of information stolen in the breach can’t be easily changed, giving it long-term value to a thief, said Jamie Winterton, a data breach expert and director of strategy for Arizona State University’s Global Security Initiative. 

“Unlike a credit card” the bank can easily replace, she said, “this has staying power that can be exploited for years down the line.”

Right now, Winterton notes the burden of identity theft protection is on the victims of major breaches, including OPM and the massive hack on the credit-monitoring agency Equifax last year. While OPM, for instance, has offered victims a suite of protective services, including free credit monitoring, victims have been asked to periodically re-enroll -- sometimes after just one year as contracts with the providers of those services have expired. It's not clear how many people have done so. 

“Given the frequency and severity of huge data breaches that expose sensitive personal information, it’s time for Congress to put some regulations in place that help protect the victims in a meaningful way,” Winterton said. “Once personal information is stolen, a company can’t retrieve it, and there are complex legal hurdles involved for a victim of identity theft. Lifetime credit monitoring and guaranteed legal assistance would be more fair and more meaningful to victims than a large fine levied on the corporation and a single year of credit monitoring.”


PINGED: Sens. James Lankford (R-Okla.) and Claire McCaskill (D-Mo.) want to avoid a rerun of the Kaspersky Lab and ZTE scares. The two senators on Tuesday introduced a bipartisan bill that would create a Federal Acquisition Security Council tasked with giving federal agencies information about supply-chain risks for federal purchases of IT equipment. Officials have expressed concerns that Russian anti-virus company Kaspersky and Chinese tech giant ZTE threaten national security.

“The nation continues to work to protect our cybersecurity, and we need to have a system in place that will allow us to address risks before it becomes an issue nationwide,” Lankford said in a statement. “This bipartisan bill will help to clarify each government agencies’ role and responsibility and protect the federal government from IT security threats through strengthening supply chain risk management."

Under the bill, titled Federal Acquisition Supply Chain Security Act of 2018, intelligence agencies and the Pentagon would share information with civilian agencies about technology issues that could pose a security risk. “We can’t simply respond to supply chain threats piecemeal, we’ve got to have a system in place to assess these risks across the government, and that’s what this bipartisan bill does," McCaskill said in a statement.

PATCHED: Verizon, AT&T, T-Mobile and Sprint say they will no longer sell user location data to several third-party companies that misused it, The Washington Post's Brian Fung reports. The announcements follow inquiries by Sen. Ron Wyden (D-Ore.) into the use of cellphone users' location information by third-party companies. “Wyden's investigation found that one of Verizon's indirect corporate customers, a prison phone company called Securus, had used Verizon's customer location data in a system that effectively let correctional officers spy on millions of Americans,” Fung writes. “In a letter to the Federal Communications Commission last month highlighting the probe, Wyden said prison officials using Securus's surveillance system could obtain real-time location data on Americans with little more than a 'pinky promise' of propriety, leading to 'activities wholly unrelated' to prison management.”

Verizon told Wyden in a letter released Tuesday that it would end its location data sharing agreements with the data vendors LocationSmart and Zumigo. “We recognize that location information can provide many pro-consumer benefits,” Karen Zacharia, Verizon's chief privacy officer, wrote in the letter. “But our review of our location aggregator program has led to a number of internal questions about how best to protect our consumers' location data. We will not enter into new location aggregation arrangements unless and until we are comfortable that we can adequately protect our customers' location data through technological advancements and/or other practices.” Wyden commended the move, saying in a statement that “Verizon deserves credit for taking quick action to protect its customers’ privacy and security.”

From T-Mobile chief executive John Legere, who announced a decision similar to Verizon's:

PWNED: Russian trolls are still trying to sow discord among Americans as the midterms get closer. Some Twitter accounts linked to Russia's Internet Research Agency were still posting divisive content on the social platform as late as last month, the Wall Street Journal's Georgia Wells, Rob Barry and Shelby Holliday report. Democrats on the House Intelligence Committee on Monday revealed a new list of about 1,100 Twitter handles linked to the Russian troll farm IRA. "The newly identified users posted more than 2.9 million tweets and retweets, bringing the total amount of Russian troll farm content on the platform to more than 8 million tweets and retweets, the Journal’s analysis found," Wells, Barry and Holliday report.

The accounts, which have been suspended by Twitter, posted divisive messages on issues such as actress Roseanne Barr's racist rants or Donald Trump Jr.'s divorce, according to the Journal. The Russian trolls even tricked Twitter chief executive Jack Dorsey. Dorsey shared at least 17 tweets from one of their accounts from late 2016 to mid-2017, Wells, Barry and Holliday write. "The tweets from the Russian account that Mr. Dorsey shared touched on topics including Bob Marley’s son converting a prison into a place to grow marijuana and former San Francisco 49ers quarterback Colin Kaepernick, who first sparked the anthem controversy to make a statement on the treatment of African-Americans in the U.S.," they write.

— More cybersecurity news from The Post and elsewhere:

Cambridge Analytica whistleblower Christopher Wylie warns that Facebook targeting threatens free speech (Tony Romm)

Major cryptocurrency exchange Bithumb halts trading after more than $31 million hack (Brian Murphy)

China-based campaign breached satellite, defense companies: Symantec (Reuters)


— A Senate Appropriations subcommittee on Tuesday approved a bill that would direct $1.1 billion to fund cybersecurity efforts at the Department of Homeland Security's National Protection and Programs Directorate, which represents $86 million more than the budget request. The legislation also directs an additional $6 million to the Secret Service to fund training for state and local authorities in computer forensics and cyber investigations, according to a news release from Sen. Shelley Moore Capito (R-W.Va.), the chairwoman of the Senate Appropriations subcommittee on homeland security. “We have a very strong bill that addresses critical Homeland Security needs — providing the department and its nearly 250,000 employees with the resources they need to carry out a broad set of missions that spans the entire globe,” she said in a statement.

— A 23-year-old Arizona man was sentenced to prison for a series of distributed denial-of-service attacks on the city of Madison, Wis. Randall Charles Tucker was sentenced on Monday in Phoenix to 20 months in prison for carrying out DDoS attacks on the city's computer networks in March 2015, according to a statement from the Justice Department. Tucker was also ordered to pay $69,331.56 to the cyberattacks' victims. “The Madison attack temporarily disabled access to the city’s website and caused internet-connected communication equipment used by emergency workers to become inaccessible or degraded, authorities said,” the Associated Press reported. “The automatic dispatching system for emergency workers was crippled, and other emergency workers experienced problems in connecting to a 911 center.”

— More cybersecurity news from the public sector:

Senate backers of ZTE measure will battle Trump over Chinese firm (Reuters)

DHS solicits feedback on supply-chain initiative from defense, intelligence communities (Inside Cybersecurity)


— Aleksandr Kogan, the Cambridge University psychologist who collected Facebook users' data and shared it with Cambridge Analytica, says public authorities should strengthen online privacy rules. “The academic said Tuesday he was 'very regretful' for the anger that many users felt over the revelation that their data had been passed along from Facebook through him to political consultants,” the Journal's John D. McKinnon and Deepa Seetharaman report. “Facebook has described Mr. Kogan’s actions as 'a breach of trust,' saying the academic violated its developer policies by selling the data to a third party.”

— Consulting firm Accenture is opening a Cyber Fusion Center in Arlington and intends to add 1,000 technology jobs in the Washington metro area by the end of 2020, according to a statement from the company. The center includes a "war room" and will carry out research into zero-day vulnerabilities. Virginia Gov. Ralph Northam (D) praised the installation of Accenture's center. “The company’s investments in our workforce and our cybersecurity capabilities are helping advance our region’s leadership in solving one of the most challenging issues we face today,” Northam said in a statement.

— More cybersecurity news from the private sector:

Facebook Introduces New Form of Two-Factor Authentication (Nextgov)

WikiLeaks Shares Alleged Diaries of Accused CIA Leaker Joshua Schulte (Motherboard)

Private sector warms to Cyber Command hacking back (CyberScoop)

Can #MeToo Change the Toxic Culture of Sexism and Harassment at Cybersecurity Conferences? (The Intercept)

Amazon's Alexa will now butler at Marriott hotels (Reuters)


— The anti-virus company ESET has discovered a new kind of malware that can compromise Android devices via the secure messaging app Telegram, CyberScoop's Sean Lyngaas reports. “The malware — which has mostly been distributed in Iran — ensnares its victims by posing as an application pledging more social media followers, bitcoin, or free Internet connections, according to ESET,” Lyngaas writes. “Once downloaded, the malware can carry out surveillance tasks ranging from intercepting text messages to recording audio and screen images from devices, ESET researcher Lukas Stefanko explained in a blog post.”


— A ban on Telegram in Iran, an app that has drawn 40 million users in the country, has hampered Iranians' speech even though many still access the service via VPNs, according to Wired's Lily Hay Newman. “On Tuesday, the Center for Human Rights in Iran published a detailed report on the profound impact of blocking Telegram, based on dozens of firsthand accounts from inside the country,” she writes. “Researchers found that the ban has had broad effects, hindering and chilling individual speech, forcing political campaigns to turn to state-sponsored media tools, limiting journalists and activists, curtailing international interactions, and eroding businesses that grew their infrastructure and reach off of Telegram.”

— More cybersecurity news from the around the world:

Huawei’s New Front in the Global Technology Cold War: Australia (The New York Times)

'Olympic Destroyer' Reappears in Attacks on Europe, Russia (Dark Reading)



Coming soon


U.S. Ambassador to the United Nations Nikki Haley says the United States is withdrawing from the U.N. Human Rights Council:

Here are key moments from Secretary of State Mike Pompeo and U.S. Ambassador to the United Nations Nikki Haley's announcement on June 19. (Video: The Washington Post)

A plant found in Virginia has sap that burns and blinds:

An agricultural extension agent identified a plant spotted in Berryville, Va., as the invasive species giant hogweed in June 2018. (Video: Patrick Martin/The Washington Post)

A forest ranger is nearly strangled by 66-pound python he helped capture:

Forest ranger Sanjay Dutta was nearly strangled by a 66-pound python after trying to take a photo with the animal in Jalpaiguri, India, on June 17. (Video: Reuters)