The unfolding story on what is being described as the largest cyberattack into the systems of the United States government reads like an episode out of CSI Cyber.
Today the head of the Office of Personnel Management (OPM) Katherine Archuleta resigned as fallout continued in the wake of Thursday’s revelation that the second of two massive data breaches exposed the personal data of 21.5 million federal employees, contractors, applicants and family members.
This follows the previous breach OPM announced in June in which some 4.2 million federal personnel records were exposed.
The magnitude of the second breach is incredible. In a release, OPM states:
OPM has determined that the types of information in these records include identification details such as Social Security Numbers; residency and educational history; employment history; information about immediate family and other personal and business acquaintances; health, criminal and financial history; and other details. Some records also include findings from interviews conducted by background investigators and fingerprints. Usernames and passwords that background investigation applicants used to fill out their background investigation forms were also stolen.”
As the New York Times reports here, every person given a background check for the last 15 years was probably affected (that’s 19.7 million people), as well as 1.8 million others, including their spouses and friends.
It is thought that both OPM attacks emanated from China, though this is not confirmed.
In a week in which reported technical issues halted trading on the New York Stock Exchange, grounded United Airlines flights and took the Wall Street Journal’s website offline for several hours, the OPM announcement once again highlights the limitless nature of cyber exposures.
Meanwhile, a joint report from Lloyd’s and the University of Cambridge, points to the insurance implications of a cyber attack on the U.S. power grid and potential aggregation issues for insurers.
A hypothetical blackout that plunges 15 states into darkness, including New York City and Washington DC, leaving 93 million people without power would result in estimated insurance claims of $21.4 billion, rising to $71.1 billion in the worst case scenario, the report suggests.
Insurers would see losses across many lines of business, including property damage, business interruption, contingent business interruption, liability, homeowners and events cancellation.
Claims across other areas of insurance not included in the estimate are also possible, such as: injury-related claims; auto; property fire; industrial accidents; and environmental liability.
As Lloyd’s says in the report, one of the biggest concerns for insurers is that cyber risk is not constrained by the conventional boundaries of geography, jurisdiction or physical laws: