Rather than aiming for immediate gratification, it appears that hackers are specifically directing their efforts towards medical records and personnel files, which are a treasure trove of valuable personal information. This, experts say, will allow a much greater long-term payoff than credit card information due to the sheer volume of information contained in these more detailed records.
In the first five months of 2015 alone, three major insurance companies were hacked, including Anthem, Premera, and CareFirst, compromising tens of millions of individual records that contain detailed information about the victims’ identities. And with the most recent attack on the Office of Personnel Management, in which some 4 million files on current and former federal employees were accessed, hackers were similarly able to get their mitts on Social Security numbers, employment histories, job performance reports, and training data.
Mark Bower, a security expert with Hewlett-Packard, told the Christian Science Monitor that attacks like these are “less about money, but more about gaining deeper access to other systems and agencies.” In fact, as Reuters reports, the value of credit card data has fallen drastically on the black market, with demand instead geared towards information with broader impact and applications — namely medical data, personal records, and other individualized identity information.
As John Pescatore, director of emerging security trends at the SANS Institute, told ComputerWorld, “there’s a bunch of ways you can turn [medical data] into cash,” with Social Security numbers and addresses being used to apply for credit cards, and other monetization methods.
This new tactic is one that has certainly raised red flags for security experts across the country, who are faced with the new challenge of thinking two steps ahead of the hackers, anticipating how they will use the information. John Hultquist, the senior manager of cyberespionage threat intelligence at iSight, told The New York Times, “It looks like they are casting a very wide net, possibly for follow-on operations or for identifying persons of interest, but we’re in a new space here and we don’t entirely know what they’re trying to do with it.”
Hopefully, Hultquist and his colleagues will figure it out before it happens.