The news just came out that the OPM data breach was even more serious than was first announced. The toll has risen from 4.2 million to the present total of 22.1 million people – nearly seven percent of the US population. They are now saying that nearly 2 million of these aren’t even people who have applied for security clearances themselves, but are spouses and other people close to applicants. What a wealth of information for cyber-criminals!
One of the things that make this such a bad hack is the kinds of information that may have been revealed. Background checks, depending on the level of clearance that is being applied for, can delve into an individual’s past quite extensively. Information such as all your past addresses, who you associated with, who your teachers were, the periodicals you read, your medical history, your arrest records, the organizations you associate with, etc., etc. Just the sort of juicy information that Spear Phishers dream of! But worse than that, this is the sort of information that can be used to blackmail people.
Blackmailing is probably the most dastardly type of social engineering there is. Here you are; nice family, good job, couple of kids, respected in the community – life is sweet! Then all of a sudden, someone contacts you and threatens to release some scurrilous information to the public if you don’t do as they say. Maybe you were arrested for something embarrassing such as being caught as a Peeping Tom. Maybe it lists a past relationship that you were not candid about with your spouse. Maybe it’s an embarrassing medical condition such a venereal disease. Or maybe it’s some really bad dirt concerning your spouse or another family member. Whatever it may be, suddenly you are faced with the choice of cooperating with criminals and breaking the law or abject ignominy – what would you do?
It’s amazing how many people will actually cooperate with their blackmailers and do their bidding. Even if it means jail time! Either alternative seems so bad to the blackmailed that they just can’t face either. So they go along in the desperate hope that nobody will find out and the whole mess will just go away. Good luck!
The way to deal with this problem, in my opinion, is to give them a third choice. Agencies and organizations should set up programs that offer forgiveness and help for these individuals if they come forward. Make sure that your personnel are aware of the possibility of blackmail, explain the forgiveness program to them, and make them understand that no matter what, they are better off reporting the incident than submitting to intimidation.
New Blog Post: OPM Data Breach: Food for Spear Phishing and Blackmail http://t.co/aATLYsmwzn