The Pentagon plans to spend $132 million dollars on credit monitoring for current and former employees who were impacted by the breach of the US Office of Personnel Management. Ken Westin, Security Analyst for Tripwire, Lamar Bailey, leader of Tripwire's Vulnerability and Exposures Research Team (VERT) and Craig Young, Cybersecurity Researcher for Tripwire agree the money would be far better spent on actually fixing the problem instead of credit monitoring.
“Credit monitoring does very little to mitigate the risks involved in financial breaches, especially those where the motives of the cybercriminals that took the data are not known. Credit monitoring can be somewhat useful in cases where the motive is financial. If the attackers seek to either sell the compromised data in underground markets or utilize it in various forms of fraud, or use it to harvest additional data for profit then credit monitoring can be valuable. However, cyberattacks that may be sponsored by nation-states for espionage purposes pose very different and serious problems that credit monitoring cannot solve.”---Ken Westin, Security Analyst for Tripwire
“Credit monitoring has become the norm for every consumer breach but generally it does almost nothing for consumers. It is the equivalent of putting some ointment on a broken arm; the only real help it provides is to the credit monitoring companies’ bottom line. Unfortunately, it’s cheaper for organizations to buy credit monitoring for victims than it is to spend the time and money to secure consumer data.”-- Lamar Bailey, leader of Tripwire's Vulnerability and Exposures Research Team (VERT)
“I'm sure the millions of consumers whose financial data has been stolen could care less about credit monitoring. For organizations that have had a breach involving sensitive financial data it would be far better to spend money on the systemic cybersecurity problems that make hacks like this possible instead of credit card monitoring. Unfortunately, the damage in breaches involving financial exposure leaves many victims now afraid to even travel to certain parts of the world out of concern for who may now know their deepest secrets.”---Craig Young, Cybersecurity Researcher for Tripwire