US Office of Personnel Management
- Known vulnerability
- Outside attack
The United States Office of Personnel Management (OPM) announced a breach in June 2015. OPM gathers information on US federal government employees, including security clearance background information.
Personally identifiable information on 21.5 million people was taken, including Social Security numbers, names, addresses, and for some, the detailed financial and personal information needed to provide a security clearance, including fingerprints for 5.6 million employees, presumably in the most sensitive positions.
The breach was active for more than a year and appears to have been discovered when a cyber security company demonstrated its forensic products on the OPM system, and then helped with the incidence response.31 It is not clear how the system was infiltrated, but it is clear OPM knew of security vulnerabilities, and key data was not encrypted, possibly because of the age of OPM’s computer systems.32 The breach was assumed to originate from China. The Chinese government denied it was state-sponsored, and later arrested individuals who they said were responsible.33
OPM awarded a contract for USD 133 million to a company to provide three years of credit monitoring for all employees and former employees whose data was taken. It is not clear if or what the OPM is doing to update their system and cybersecurity
In addition to the financial risk of identity theft, employees are subject to potential blackmail attempts based on the information in their background checks, particularly those who had very detailed and personal investigations before being granted access to classified information, while agents outside the US can be definitively identified based on their stolen fingerprints.34
The director of OPM resigned after the full extent of the breach was revealed, and then the Chief Information Officer resigned two days before she was scheduled to testify before a US House of Representatives panel. A Congressional report on the attack showed the vulnerabilities were known and the attack was preventable.35
This case is a lesson in false economies, as it appears the old systems were vulnerable to attack, OPM did not have the capabilities to detect an attack, and had not encrypted the data to mitigate the impact. As a result, those employees entrusted to safeguard government secrets were themselves at risk.