Seems like everything in confidential files eventually ends up on hackers' hard drives. Why do they want all that information? Recently it was the IRS who fessed up to a loss of taxpayer data. Now it's the U.S. Office of Personnel Management's turn. Here's their news release. (See below for some useful tips from there.)
What will hackers do with all that information? Jeremy Wagstaff speculates for Reuters in Medical data, cybercriminals' holy grail, now espionage target. Excerpt:
Whoever was behind the latest theft of personal data from U.S. government computers, they appear to be following a new trend set by cybercriminals: targeting increasingly valuable medical records and personnel files.
This data, experts say, is worth a lot more to cybercriminals than, say, credit card information. And the Office of Personnel Management (OPM) breach revealed on Thursday suggests cyberspies may now also be finding value in it.
Credit card information is so easily obtainable on the black market that it isn't worth much these days, he says. But medical records are a different matter. Apparently, a person's medical records can gain access to drugs and medical devices at the expense of someone else.
The OPM news release focuses on something more likely, the possibility of future spear phishing expeditions to get further infiltrated into government computers. Here's their tip sheet:
Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.
Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person’s authority to have the information.
Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.
Do not send sensitive information over the Internet before checking a website’s security (for more information, see Protecting Your Privacy, http://www.us-cert.gov/ncas/tips/ST04-013).
Pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).
If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information. Information about known phishing attacks is also available online from groups such as the Anti-Phishing Working Group (http://www.antiphishing.org).
Install and maintain anti-virus software, firewalls, and email filters to reduce some of this traffic (for more information, see Understanding Firewalls, http://www.us-cert.gov/ncas/tips/ST04-004; Understanding Anti-Virus Software, http://www.us-cert.gov/ncas/tips/ST04-005; and Reducing Spam, http://www.us-cert.gov/ncas/tips/ST04-007).
Take advantage of any anti-phishing features offered by your email client and web browser.
Employees should take steps to monitor their personally identifiable information and report any suspected instances of identity theft to the FBI’s Internet Crime Complaint Center at www.ic3.gov.
Looks like good advice.