Office of Personnel Management data breach

In June 2015, the United States Office of Personnel Management (OPM) announced that it had been the target of a data breach targeting the records of as many as four million people.[1] Later, FBI Director James Comey put the number at 18 million.[2] The data breach, which had started in March 2014, and may have started earlier, was noticed by the OPM in April 2015.[1][3] It has been described by federal officials as among the largest breaches of government data in the history of the United States.[1] Information targeted in the breach included personally identifiable information such as Social Security numbers,[4] as well as names, dates and places of birth, and addresses.[5] The hack went deeper than initially believed and likely involved theft of detailed security-clearance-related background information. One victim wrote that the OPM is the agency that asks your neighbors what they know about you that could be used to blackmail you.[6][7][8]

On July 9, 2015, the estimate of the number of stolen records had increased to 21.5 million. This included records of people who had undergone background checks, but who were not necessarily current or former government employees.[9] Soon after, Katherine Archuleta, the director of OPM, and former National Political Director for Barack Obama's 2012 reelection campaign, resigned.

Contents

DiscoveryEdit

The New York Times had reported that the infiltration was discovered using United States Computer Emergency Readiness Team (US-CERT)'s Einstein intrusion-detection program and it predated the Einstein deployment, which began a year earlier.[10] However, the Wall Street Journal, Wired, Ars Technica, and Fortune later reported that it was unclear how the breach was discovered. It may have been a product demonstration of CyFIR, a commercial forensic product from a Manassas, Virginia security company CyTech Services that uncovered the infiltration.[11][12][13][14] These reports were subsequently confirmed by CyTech Services in a press release issued by the company on June 15, 2015[15] to clarify contradictions made by OPM spokesman Sam Schumach in a later edit of the Fortune[11] article.

However, it was not CyTech Services that uncovered the infiltration; rather, it was detected by OPM personnel using a software product of vendor Cylance.[16][17] Later, CyTech independently confirmed the intrusion that had been uncovered by the Cylance software without prior knowledge of Cylance's involvement.

Data theftEdit

Theft of security clearance informationEdit

On June 11, 2015, ABC News also said that highly sensitive 127-page Standard Forms (SF) 86 (Questionnaire for National Security Positions) were put at serious risk by the hack. SF-86 forms contain information about family members, college roommates, foreign contacts, and psychological information. At the time, OPM stated that family members names were not compromised.[6] However, on June 13, 2015, OPM spokesman Samuel Schumach said that investigators had "a high degree of confidence that OPM systems containing information related to the background investigations of current, former, and prospective federal government employees, to include U.S. military personnel, and those for whom a federal background investigation was conducted, may have been exfiltrated."[7] The Central Intelligence Agency, however, does not use the OPM system; therefore, it may not have been affected.[3]

Theft of personal detailsEdit

J. David Cox, president of the American Federation of Government Employees, wrote in a letter to OPM director Katherine Archuleta (obtained by the Associated Press) that, based on the incomplete information that the AFGE had received from OPM, "We believe that the Central Personnel Data File was the targeted database, and that the hackers are now in possession of all personnel data for every federal employee, every federal retiree, and up to one million former federal employees."[18] Cox stated that the AFGE believes that the breach compromised military records, veterans' status information, addresses, dates of birth, job and pay history, health insurance and life insurance information, pension information, and data on age, gender, and race.[18]

Theft of fingerprintsEdit

The stolen data included 5.6 million sets of fingerprints.[19] Biometrics expert Ramesh Kesanupalli said that because of this, secret agents were no longer safe, as they could be identified by their fingerprints, even if their names had been changed.[20]

PerpetratorsEdit

According to the Wall Street Journal, U.S. government officials suspect that Chinese hackers perpetrated the breach.[1] The Washington Post has also reported that the attack originated in China, citing unnamed government officials.[5] China has responded to these claims by noting that it has been the target of cyberattacks in the past.[21] It remains unclear whether the attack, if it originated from China, was sponsored by China's government or not.[10] U.S. Department of Homeland Security official Andy Ozment testified that the attackers had gained valid user credentials to the systems they were attacking, likely through social engineering. The breach also consisted of a malware package which installed itself within OPM’s network and established a backdoor. From there, attackers escalated their privileges to gain access to a wide range of OPM’s systems. Ars Technica reported that at least one worker with root access to every row in every database was physically located in China. Another contractor had two employees with Chinese passports.[22]

MotiveEdit

Whether the attack was motivated by commercial gain remains unclear.[10] It has been suggested that hackers working for the Chinese military intend to compile a database of Americans using the data obtained from the breach.[21]

WarningsEdit

The OPM had been warned multiple times of security vulnerabilities and failings. A March 2015 OPM Office of the Inspector General semi-annual report to Congress warned of "persistent deficiencies in OPM's information system security program," including "incomplete security authorization packages, weaknesses in testing of information security controls, and inaccurate Plans of Action and Milestones."[23][24]

A July 2014 story in The New York Times quoted unnamed senior American officials saying that Chinese hackers had broken into OPM. The officials said that the hackers seemed to be targeting files on workers who had applied for security clearances, and had gained access to several databases, but had been stopped before they obtained the security clearance information. In an interview later that month, Katherine Archuleta, the director of OPM, said that the most important thing was that no personal identification information had been compromised.[3][25][26]

Pointing blameEdit

Some lawmakers made calls for Archuleta to resign citing mismanagement and that she was a political appointee and former Obama campaign official with no degree or experience in human resources. She responded that neither she nor OPM chief information officer Donna Seymour would do so. "I am committed to the work that I am doing at OPM," Archuleta told reporters. "I have trust in the staff that is there."[9] On July 10, 2015, Archuleta resigned as OPM director.[27]

Daniel Henninger, deputy editorial page director of the Wall Street Journal, speaking on Fox News' Journal Editorial Report, criticized the appointment of Archuleta to be "in charge of one of the most sensitive agencies" in the U.S. government, saying: "What is her experience to run something like that? She was the national political director of Barack Obama's 2012 re-election campaign. She's also the head of something called the Latina Initiative. She's a politico, right? ... That is the kind of person they have put in."[28]

Security experts have stated that the biggest problem with the breach was not the failure to prevent remote break-ins, but the absence of mechanisms to detect outside intrusion and the lack of proper encryption of sensitive data. OPM CIO Donna Seymour countered that criticism by pointed to the agency's aging systems as the primary obstacle to putting such protections in place, despite having encryption tools available. DHS Assistant Secretary for Cybersecurity and Communications Andy Ozment explained further that, "If an adversary has the credentials of a user on the network, then they can access data even if it's encrypted, just as the users on the network have to access data, and that did occur in this case. So encryption in this instance would not have protected this data."[29]

InvestigationEdit

A July 22, 2015 memo by Inspector General Patrick McFarland said that OPM's Chief Information Officer Donna Seymour was slowing her investigation into the breach, leading him to wonder whether or not she was acting in good faith. He did not raise any specific claims of misconduct, but he did say that her office was fostering an "atmosphere of mistrust" by giving him "incorrect or misleading" information.[30] On Monday 22 February 2016, CIO Donna Seymour resigned, just two days before she was scheduled to testify before a House panel that is continuing to investigate the data breach.[31]

ReactionsEdit

FBI Director James Comey stated: "It is a very big deal from a national security perspective and from a counterintelligence perspective. It’s a treasure trove of information about everybody who has worked for, tried to work for, or works for the United States government."[32]

Speaking at a forum in Washington, D.C., Director of National Intelligence James R. Clapper said: "You have to kind of salute the Chinese for what they did."[33]

President-elect Donald Trump said: "China, relatively recently, hacked 20 million government names. How come nobody even talks about that?"[34]

See alsoEdit

ReferencesEdit

  1. ^ a b c d Barrett, Devlin (5 June 2015). "U.S. Suspects Hackers in China Breached About four (4) Million People's Records, Officials Say". Wall Street Journal. Retrieved 5 June 2015. 
  2. ^ "U.S. gov't hack may be four (4) times larger than first reported". 
  3. ^ a b c Auerbach, David. "The OPM Breach Is a Catastrophe". 
  4. ^ Risen, Tom (5 June 2015). "China Suspected in Theft of Federal Employee Records". US News & World Report. Retrieved 5 June 2015. 
  5. ^ a b Sanders, Sam (4 June 2015). "Massive Data Breach Puts 4 Million Federal Employees' Records At Risk". NPR. Retrieved 5 June 2015. 
  6. ^ a b Mike Levine. "OPM Hack Far Deeper Than Publicly Acknowledged, Went Undetected For More Than A Year, Sources Say". 
  7. ^ a b "Breach of Employee Data Wider Than Initial Report, U.S. Says". 
  8. ^ Kashmir Hill. "I am one of the millions of federal employees who just got hacked". 
  9. ^ a b Zengerle, Patricia; Cassella, Megan (2015-07-09). "Estimate of Americans hit by government personnel data hack skyrockets". Reuters. Retrieved 2015-07-09. 
  10. ^ a b c Sanger, David E. (5 June 2015). "Hacking Linked to China Exposes Millions of U.S. Workers". New York Times. Retrieved 5 June 2015. 
  11. ^ a b "A product demo revealed the 'biggest ever' government data breach - Fortune". Fortune. Retrieved 10 July 2015. 
  12. ^ Kim Zetter and Andy Greenberg (11 June 2015). "Why The OPM Breach Is Such a Security and Privacy Debacle". Wired. Retrieved 10 July 2015. 
  13. ^ "Report: Hack of government employee records discovered by product demo". Ars Technica. Retrieved 10 July 2015. 
  14. ^ Damian Paletta And Siobhan Hughes (10 June 2015). "U.S. Spy Agencies Join Probe of Personnel-Records Theft". WSJ. Retrieved 10 July 2015. 
  15. ^ "CyTech Services Confirms Assistance to OPM Breach Response". PRWeb. 15 June 2015. Retrieved 10 July 2015. 
  16. ^ "Credit for discovering the OPM breach". POLITICO. Retrieved 2016-09-17. 
  17. ^ "Surprise! House Oversight report blames OPM leadership for breach of records". Retrieved 2016-09-17. 
  18. ^ a b Ken Dilanian, Union: Hackers have personnel data on every federal employee, Associated Press (June 11, 2015).
  19. ^ Sanger, David E. (2015-09-23). "Hackers Took Fingerprints of 5.6 Million U.S. Workers, Government Says". The New York Times. ISSN 0362-4331. Retrieved 2015-09-23. 
  20. ^ Paglieri, Jose. "OPM hack's unprecedented haul: 1.1 million fingerprints". Retrieved 11 July 2015. 
  21. ^ a b Liptak, Kevin (4 June 2015). "U.S. government hacked; feds think China is the culprit". CNN. Retrieved 5 June 2015. 
  22. ^ Gallagher, Sean. "Encryption "would not have helped" at OPM, says DHS official". 
  23. ^ David Auerbach, The OPM Breach Is a Catastrophe: First the government must own up to its failure. Then the feds should follow this plan to fix it, Slate (June 16, 2015).
  24. ^ Office of Personnel Management, Office of the Inspector General, Semiannual Report to Congress: October 1, 2014–March 31, 2015.
  25. ^ Schmidt, Michael S.; Sanger, David E.; Perlroth, Nicole. "Chinese Hackers Pursue Key Data on U.S. Workers". The New York Times. Retrieved 29 June 2015. 
  26. ^ Jackson, George. "Archuleta on attempted breach and USIS". Retrieved 29 June 2015. 
  27. ^ Davis, Julie H. "Katherine Archuleta, Director of Office of Personnel Management, Resigns". The New York Times. Retrieved 10 July 2015. 
  28. ^ Too Much Information: A transcript of the weekend's program on FOX News Channel (July 12, 2015).
  29. ^ Aaron Boyd (22 June 2015). "OPM breach a failure on encryption, detection". Federal Times. Retrieved 17 November 2015. 
  30. ^ "Watchdog accuses OPM of hindering hack investigation". Retrieved 8 August 2015. 
  31. ^ "OPM's cybersecurity chief resigns in wake of massive data breach". Retrieved 23 February 2016. 
  32. ^ "Hacks of OPM databases compromised 22.1 million people, federal authorities say". The Washington Post. July 9, 2015.
  33. ^ "China Is 'Leading Suspect' in Massive Hack of US Government Networks". ABC News. June 25, 2015.
  34. ^ "After Security Meeting, Trump Admits Possibility of Russian Hacking". The New York Times. January 6, 2017.