Hacked 4 Life
Last week I received a notification from the Office of Personnel Management (OPM) informing me that my data was among the 21 million records compromised in the June 2015 data breach. While this wasn’t a surprise, it was still the worst possible news.
In the past, when I had been the silent victim of a data breach, my credit card number was the only data compromised. Like millions of other victims all over the world do every year, I simply cancelled the card and the bank issued a new one. If I saw any fraudulent transactions, the credit card company would reimburse me. No harm, no foul.
However, there is no way for me to do that with my personal information; I will not get a new Social Security number or a different personal history. I am very much hacked for life.
What Was Compromised
The letter says along with my Social Security number, the following information was also compromised:
- My current and previous addresses
- Date and place of birth
- Education and employment history
- Overseas travel history
- Information about immediate family members
- Personal and business acquaintances (I wonder if they will also get letters?)
- My fingerprints.
In response to the compromise of this personal information, OPM has offered me and my children credit monitoring, identity monitoring, identity theft insurance, and identity restoration services for the next three years.
My Privacy Is Gone
As I write this, I am trying to wrap my head around the enormity of the situation. To be honest, I am having a hard time. It seems almost surreal that my personal information will never again in my lifetime be secure. The breach has deprived me and millions of other impacted individuals of the option of keeping our personal information personal. That data is gone. My privacy is gone. There is no chance of getting it back. Ever.
While I appreciate OPM’s efforts to provide me with credit and identity monitoring and recovery services for the next three years, I believe these services to be inadequate in relation to the breadth and depth of what was taken from me.
Even if I am 100% covered against personal fraud or identity theft for now, what happens after those three years are up? How can I be sure the agency that failed to protect my data in the first place is now going to step up and do everything in its power to ensure I do not suffer any negative impact? How can it prevent the almost certain monetization and fraudulent usage of my personal information? Not just mine—me and roughly 20,999,999 other Americans. The potential cost is simply too high for that to ever happen.
How Much Will It Cost?
Just for fun, let’s do some back-of-an-envelope math. Based on some quick research I did, I’ll guess combined credit monitoring and ID theft protection services costs around $180 per year per individual. Covering all the Americans impacted in this breach will cost $3.78 billion per year, or $11.34 billion for all three years.
Next, according to a 2014 study by IBM and the Ponemon Institute, the average fraud loss per stolen record was $145. Reimbursing all the fraud that people will suffer adds another $3.45 billion to the tab. That’s if the losses are average. Considering the detail of data that was compromised, they could be a lot more than average.
Altogether (this sounds like my son’s third grade math homework) we get a total estimated price tag of $14.49 billion. But this is a very quick and conservative estimate; the final cost could be much, much more.
The depressing thing is how much less it would have cost to protect the data better in the first place—but more of that later.
Who’s Paying the Bill?
So, here’s the real kicker—where is that 14 and a half billion dollars going to come from? You got it, the American taxpayer!
So our data gets stolen, sold to who knows how many cybercriminals, more than likely used to commit fraud over and over for the foreseeable future, and we also have to foot the bill. Unlike the victims of the Target or Ashley Madison breaches, we can’t sue the federal government in a class action lawsuit. Even if we could, and even if we won, we’d lose again because the cost of that litigation and any settlement paid out to us as individuals would come right out of our pockets and those of our fellow Americans.
The Impact Is Unquantifiable
I think it’s fair to say that this is the first time an organization’s failure to implement comprehensive security controls has resulted in a data breach the overall impact of which is unquantifiable.
I say this because the services being offered to victims are based on what we currently know about fraud and identity theft. That’s good for today and maybe for the next year or so, but technology is constantly progressing. Our lives are becoming intertwined with cloud services, smart devices, and the internet of things. How far into the future is it before almost all our societal, financial, and educational interactions have a technological component?
All those interactions will need an authentication mechanism to ensure the individual with whom the system is interacting is actually that person. However, for 21 million Americans, that possibility will be forever tainted since our data is in the hands of an undetermined number of criminal organizations or hostile foreign governments.
Cybercrimes of the Future
It also remains unknown what criminals could do with this data in the future; what crimes have they not even thought up yet? How might a criminal impersonate me? What types of fraud could they commit aside from the financial crime that is commonplace today? In my opinion, financial fraud is the low-hanging fruit in this orchard of crime. What about fraud that is much more difficult to quantify, with an impact that we cannot possibly foresee?
For example by executing voting fraud, criminals could sway election results. Elections have an impact on legislation. Legislation has an impact on our domestic and foreign policies. Domestic and foreign policies impact human life all over the world every day.
What about prescription fraud? Criminals could obtain prescriptions for massive quantities of controlled substances to the benefit or detriment of a particular pharmaceutical company.
These are just some examples I can think of off the top of my head (and fit into this blog post). There are more. Lots more.
Putting the Toothpaste Back in the Tube
So what, if anything, can be done?
For starters the Internal Revenue Service should immediately start working on a strategy to replace the Social Security numbers of all the impacted individuals. Failing to do so would be like telling you to keep your credit card number after it was compromised.
Babies are born every day and each of them gets a shiny new Social Security number, so it’s obviously possible. It won’t be easy or convenient, but it certainly beats the alternative and could help eliminate a multitude of future cybercrimes. As non-participant victims, I think we deserve it.
Next, the Federal Government needs to start working on an authentication mechanism that does not involve any of the data elements that were stolen. Several examples exist today—such as retinal scanning, facial mapping, hand geometry, and input pattern matching (like voice pitch and frequency or keyboard input speed and letter grouping)—and could be used in conjunction with old-fashioned passwords or tokens.
Finally, OPM should really revisit its security strategy and implement a holistic solution that includes continual testing, deficiency correction, deploying countermeasures, and active threat monitoring.
This Breach Could Have Been Prevented
While I did not work on this case specifically, my experience investigating more than 2,500 breaches tells me it was preventable. I’m comfortable saying this because I have yet to see a breach that couldn’t have been prevented had the breached entity taken appropriate measures to protect the data with which it was entrusted. OPM didn’t and we are all going to pay the price.
The truly frustrating thing is how much less it would have cost. Implementing adequate security controls and performing continuous testing and monitoring of those systems would run up a bill of maybe a couple hundred thousand annually. Let’s estimate way high and say $500,000 per year for OPM to perform penetration testing and deploy technical countermeasures sufficient to protect our private data from hackers.
With the same sum of money I’ve estimated as the overall cost of the breach—and honestly, it will be way higher than that—OPM could have protected its systems for the next 28,770 years.
With Big Data Comes Great Responsibility
Businesses and governments all over the world are collecting more and more data. In the immortal words of Stan Lee, “With great power comes great responsibility.” Or if you’d prefer me to quote scripture, there's Luke 12:48: “From everyone who has been given much, much will be demanded; and from the one who has been entrusted with much, much more will be asked.”
To be blunt, organizations need to take the security of that data more seriously. They can no longer complain that it is an inhibitor to business. Rather, they must view it as a mechanism to bolster customer confidence and prevent catastrophic loss. I also believe custodians of personally identifiable information have a moral and ethical responsibility to protect that data.
Organizations need to learn from the mistakes of others, and take a long, hard, honest look at their security posture. Allocating the resources necessary to protect their critical value data is the cost of doing business in cyberspace; not an afterthought and not an inhibitor.
Failing to do so will cost exponentially more money in the long run, destroy customer confidence, and give cybercriminals the resources they need to commit further crimes.
This is a really easy choice.