What Does China Want With…

I’ve been asked by journalists and clients about the recent security breaches at Anthem, other health insurers and last week the breach of information from the Office of Personnel Management.

I don’t want to get into the discussion or argument on the “who” of these breaches. Let’s just pretend for a moment that it’s all the same person.

Why Are These Breaches Different?

If I look back to the breaches of 2014 — Target, Home Depot, Jimmy Johns, etc — the signature event of the breach is the credit card numbers being sold in various underground forums.

In all of the breaches described above, the information is personal information — names, addresses, phones numbers and with the latest OPM breach background search information.

To date, this information is not being sold. To quote one journalist I spoke with, “What’s going on here?”

There are more breaches we don’t know about

Credit card breaches are easy to detect. That’s why we hear about them so often. As the credit cards are reused, the analytics engines of the banks can quickly determine the common usage point and likely location of the fraud.

With most other types of information, there are no key external indicators that help determine if information is stolen. Additionally, criminals try to sell and use credit card numbers as fast as they can before the banks figure it out. With other stolen data elements, there is no rush to use them.

Given this, there are probably a bunch of other personal information that has been stolen. Remember this as I move forward with my theory.

Breach Motivation

There are a few motivations for stealing personal information.

1. **Monetization: **They want to steal the information to sell it. This was the motivation of the people behind the Target breach. Sell the credit card numbers as fast as they can.
2. **Competitive Advantage: **These types of attacks aren’t publicized as much. A competitor wants to compete better in the marketplace and steals intellectual property.
3. **Embarrassment: **The Sony breach was the first major victim of this type of attack. Companies which are in controversial businesses tend to worry most about this.
4. **Pivot: **The information stolen isn’t directly related to the end goal. If I’d like to put an accountant out of business, my first attack may be getting a list of their clients.

What does Target have to do with OPM?

Since the Anthem attack occured a few months ago, I’ve been calling it a pivot attack. The information will be used elsewhere. Especially with a pivot attack, it’s hard to predict how the information will ultimately be used.

Assuming the attackers of all of the recent breaches are the same, I’ve been starting to put a picture together of how they *might *use the data.

When talking about big data I often refer to Target and their ability to predict when a shopper is pregnant. (Hand cream is a giveaway, apparently.) Given massive amounts of data, information that isn’t otherwise obvious becomes obvious.

Many years ago, Casinos were able to determine that when the emergency contact of a dealer walks into their casino, there is a very high likelihood of fraud. The study of these types of big data problems is called non-obvious relationship awareness.

So our attacker has a wealth of information. Besides Anthem and OPM, there are likely other sources of information. This presents an opportunity to build out a number of data models.

Two Theories on How To Use Breach Data

First, the glass half full theory.

The US market is the one of the largest market to sell to. When creating many products, the needs of the US are the first priority. This data makes for great marketing analytics. Given a competitive sales landscape, I could likely bring to market a set of products and services targetted specifically to a set target market.

Recently, the government admitted that the background search information used for clearances was stolen. One of the questions asked on the background check form is what countries have you traveled to in the past 7 years?

Wouldn’t an airline love to have this information to better market their international flights? It’s also a good list of people to sell international carry-on luggage. The marketing opportunities are endless.

Second, the glass half empty theory.

If Target can figure out who is pregnant and a casino can figure out who is going to commit fraud, there are a million non-obvious scenarios which can be determined.

In it’s simpliest form, let’s look at back to the background check information. Another question on the background check form is who are other people we should talk to? This is in the same context as your emergency contact at the casino.

Targetting someone with a Top Secret clearance may be hard. They are on alert and likely more diligent about clicking links in their e-mail. (Well, we hope.)

Targetting the personal reference to someone with Top Secret clearance may be easier.

You could also perform A/B testing to determine the set of people who are most likely to fall for certain types of attacks. Men, aged 47 to 53 who live in a warm state and are fully employed are most like to respond to a phishing e-mail on Sunday mornings between 9a and 11a.

You get it. The options are endless.

Where do we go from here?

As information security professionals, we all understand the risks of regulated data (credit cards, SSNs, etc) but often overlook the more benign data elements.

Many companies — Amazon especially — do a fantastic job of tracking my behavioral history and recommending new products I should buy.

All of this information — while benign individually — can be used to derive incredibly valuable data. We shouldn’t assume it has no value. We shouldn’t protect it as though no one wanted to steal it.

Those that are already managing regulated data get it. Those in industries which generally don’t have regulated data may not. Look back at your application portfolio and think about if the data you have could be combined with a different dataset to create more value. If so, make sure it’s adequately protected.