Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

The OPM breach report: A long time coming

Taylor Armerding | Oct. 14, 2016
The catastrophic breach of the federal Office of Personnel Management, which exposed the personal information of more than 22 million current and former employees, became public in mid-2015. It took another 15 months for Congress to complete a report on it

If you want to have even a chance of defeating cyber attacks, you have to be quick.

So, in hindsight, there is no mystery why the federal government’s Office of Personnel Management (OPM) was a loser to attackers who exfiltrated personal data – including in many cases detailed security clearance information and fingerprint data – of more than 22 million current and former federal employees.

Hackers, said to be from China, were inside the OPM system starting in 2012, but were not detected until March 20, 2014. A second hacker, or group, gained access to OPM through a third-party contractor in May 2014, but was not discovered until nearly a year later.

These and dozens of other depressing details are in a timeline that is part of a 241-page report released last month by the House Committee on Oversight and Government Reform, bluntly titled, “The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation.”

Indeed, the report opens with a series of quotes from high-level intelligence officials, all declaring in stark terms how catastrophic the effects of the breach will be, for decades.

FBI Director James Comey spoke of the information contained in the so-called SF-86 form, used for conducting background checks for employee security clearances.

“My SF-86 lists every place I’ve ever lived since I was 18, every foreign travel I’ve ever taken, all of my family, their addresses,” he said. “So it’s not just my identity that’s affected. I’ve got siblings. I’ve got five kids. All of that is in there.”

The SF-86 also contains information on financial history, investments, arrest records, medical problems, any drug or alcohol problems and other material that could be used to blackmail an employee.

The report itself wasn’t exactly turned around quickly either – it took around 15 months from the time the breach was made public, even though much of what is contained it had been covered in the IT or mainstream press much earlier. Indeed, there are a number of citations in it to news articles.

There were also plenty of early warnings about how vulnerable the department was. It had no IT security staff until 2013. An inspector general’s report from November 2014 was blunt about a lack of basic security measures including:

  • A lack of encryption
  • No two-factor authentication for workers remotely accessing the system
  • No inventory of servers and databases
  • Lack of awareness of all the systems connected to its networks

Or, as the report summarized it, the breach, and the failure to detect and contain it were, “in large part due to sloppy cyber hygiene and inadequate security technologies that left OPM with reduced visibility into the traffic on its systems.”


1  2  3  4  Next Page 

Sign up for CIO Asia eNewsletters.