The Office of Personnel Management has just closed a 133 million dollar contract to protect 21.5 million OPM data breach victims for three years. Wow, "Barn, Horse" anyone? This is an egregious waste of our tax money. Spending that kind of IT budget to replace the old systems that were hacked would have been the sane thing to do. And three years of protection is not enough either.
The Chinese cyber army has patience. They have by now cross-referenced the OPM hack info and the AshMad database to filter out the most vulnerable people - and their spouses - to spear-phishing, and or blackmail/extortion.
The threat of infidelity of a spouse is an important social engineering tactic, anyone would be tempted to find out if their spouse is on the AshMad list, especially if that spouse is on months-long deployments.
A recent simulated AshMad phishing attack template we released scored an average 4.2% click rate over the dozens of KnowBe4 enterprise accounts who sent that template to their employees.
End-users need to be taught that their business email address is property of the company and they cannot use it for private "endeavors". This is something that should be nipped in the bud with effective security
awareness training.
We have cross-referenced the AshMad database with email addresses that our customers have uploaded for phishing tests, and we are in the process of individually notifying customers if there are one or more compromised email addresses so they can take preventive action.
Which of your email addresses are exposed on the Internet and are a target for phishing attacks? You can get a one-time no-charge Email Exposure Check (EEC) sent to you if you want to know how big your email attack surface is:
