The #DataInsecurity Digest | Issue 71

New fraud related to OPM hack underscores growing threat of data breach fallout

By John Breyault (@jammingecono,
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: The fallout from the OPM breach continues as media outlets have learned that criminals are using the data to take out fake loans. Demonstrating harm in data breach cases is often difficult for the individuals affected, but the OPM case gives a peek into how fraud can flow from breaches. Unfortunately, several new studies are suggesting that 2018 is not on track to provide any data breach relief for consumers. The Ponemon Institute estimates that 38 percent of public sector entities will suffer an attack, and two-thirds of small businesses don’t work to improve their cybersecurity in the aftermath of a breach, which sets them up for yet another breach. Good news, however, is that some victims of the Equifax breach are receiving a bit of relief in small claims court.

And now, on to the clips!


Despite warnings of Russian interference in the midterm elections from top intelligence officials, White House remains silent. To fill the leadership void, members of Congress are stepping up by convening a summit next month to determine just how severe the threat is. “We’re getting so many mixed signals, depending on what the agency is,” said Senate Intelligence Chairman Richard Burr (R-NC). “It compels us to bring everybody together in the same room and try to figure out whether or not there’s some stovepipe issues.” (Source: Politico)

Four years after the OPM breach, we now know what criminals are using the data for. The Washington Post reports that “two people have admitted in Newport News federal court they used the stolen identities to take out fake loans through a federal credit union.” Left unexplained is how the individuals obtained the OPM information, as the hack was traced back to China and the criminals “were not accused of any hacking-related crimes.” (Source: Washington Post)

Quick hit: In 2017, the average data breach cost companies $3.6 million. The report also found the average cost per lost or stolen record was $141. (Source: Ponemon Institute)

Data breach victims are taking Equifax to small claims court and winning. While this may be good news, as one plaintiff—a small-business owner in San Francisco—put it, “I’m happy to get the money, but it’s not really over because I know my information has been leaked and you can never put it back.’” (Source: New York Times)

Ponemon Institute estimates that 38 percent of public sector entities will suffer a ransomware attack this year alone. @jon_kamp and @scottmcalvert observe that “[p]ublic-sector attacks appear to be rising faster than those in the private sector.” However, @nppd_krebs notes that hackers generally don’t target specific cities, but instead are constantly searching for vulnerabilities wherever they may occur. “The trick about ransomware right now is that it’s typically not a targeted, focused attack,” says DHS’s Christopher Krebs. (Source: Wall Street Journal)

Employee negligence is perceived to be the main cause of data breaches by employers. A report by Shred-it found that “47 percent of business leaders said human error such as accidental loss of a device or document by an employee had caused a data breach at their organization.” (Source: CNBC)

New report: Two-thirds of small business do not improve their data security after a hack. Perhaps unsurprisingly, the same report also found that 44 percent of small business suffered multiple attacks last year, according to a survey by insurer Hiscox. (Source: Associated Press)

FBI to World Cup fans: Leave your devices at home. The FBI is advising Americans to not take electronic devices with them “because they are likely to be hacked by criminals or the Russian government.” William Evanina, director of the U.S. National Counterintelligence and Security Center, warned travelers that “[i]f you’re planning on taking a mobile phone, laptop, PDA, or other electronic device with you—make no mistake—any data on those devices (especially your personally identifiable information) may be accessed by the Russian government or cybercriminals.” (Source: Reuters)

Upcoming Events

August 9-12, 2018 – DEF CON 26 – Las Vegas, NV
DEF CON is the world’s longest-running and largest underground hacking conference. Each summer, hackers, corporate IT professionals, and three-letter government agencies all converge on Las Vegas to absorb cutting-edge hacking research from the most brilliant minds in the world. (Source: DEF CON)

National Consumers League
Published June 28, 2018