OPM Data Breach

Last Update: February 6, 2021 • Financial News •

Since the Office of Personnel Management (OPM), the U.S. government’s human resources division has only been a year and a half. China is expected to be responsible for the hack. In this breach, approximately 21.5 million people’s information was breached, and information such as social security numbers, birth dates, fingerprints, and addresses was believed to be accessed.

On top of that, SF-86 forms were accessed – these 127-page forms are documents used for conducting background checks for employee security clearances. These forms include just about every bit of personal information imaginable about these individuals. This can include information about family and friends and even employee’s interactions with individuals from other countries.

Credit Monitoring Protection Offered to Victims

When this happened 18 months ago, the employees were offered free credit monitoring services through a company called – Winvale. Today, about 100,000 to 150,000 of those individuals are being asked to take action and re-enroll for the same type of credit monitoring but through another vendor.

Those victims who were being asked to re-enroll are being sent a letter informing them of the change. They were also given the option to go to the OPM cybersecurity resource center to re-enroll. They will be asked to enroll with a new vendor called ID Experts.

They were being offered service through ID experts because it is a part of the General Services Administration blanket purchase agreement, a contract worth about $9.1 million.

There are now laws in place that require the OPM to offer credit monitoring to the victims for 10 years due to the extensive amount of personal information that was breached and because the Chinese enacted the breach. This information could easily be used to harm the United States of America, and many lawmakers believe that these individuals should be given monitoring for life.

This issue seems to still be in debate, but the Senate Appropriations Committee approved the 10-year monitoring to be paid for by the OPM.

More details about this story.

Who Discovered This?

One of the most interesting aspects of the original breach was that the Department of Homeland Security was touting its EINSTEIN detection program’s benefits and tried to claim that this program detected the breach. However, this turned out to be entirely false. It took investigators four months to discover the breach, and it was uncovered when administrators made upgrades to certain computer systems.

There have been many rumors that the breach was discovered by a company called Cytech Services during a sales demo of its cyber-detection software, but that turned out to be false. An OPM engineer discovered the breach.

Cytech CEO Ben Cotton said that he and his company never actually claimed to have been the first to discover the breach, only that they did indeed discover the breach during their demo, and they did not have any knowledge at the time if the breach had previously been uncovered or not.

According to Brendan Saulsbury (the engineer that originally caught the breach), Cytech did not uncover anything that the OPM was not already aware of.

What Was The State of The OPM IT Systems?

Obviously, considering the nature of the OPM business, you would assume that they would have a large IT security team or an outside vendor that they were engaged with to manage their IT security needs. However, the OPM had absolutely no IT security staff on their payroll until 2013, hence the breach.

According to reports, OPM failed in many different ways:

They failed to maintain an inventory of all of its servers, databases, and systems that accessed data. They did not even have an inventory attached to their networks.
The OPM also failed to enforce multi-factor authentication for employees working remotely.
There was no encryption of the data that was breached.

There were so many flaws in their IT security, so there was no surprise that they became victims to one of the largest data breaches in U.S. history.

Who Fall for This?

At the time, the OPM director was Katherine Archuleta. She was not fired, but she did resign due to many lawmakers’ calls for firing.

She wrote an email to the OPM staff:

“I write to you this afternoon to share that earlier today, I offered, and the President accepted my resignation as the Director of the U.S. Office of Personnel Management. Leading this agency and serving with all of you has been the highlight of my career.”

Her replacement was Beth Cobert, the U.S. Chief Performance Officer and a deputy director at the Office of Management and Budget. Beth took over as acting director and is still in that role today.

What Could The Victim’s Data Be Used for?

There has been a lot of speculation about how the Chinese could use the information. Here are some of the potential uses:

Federal background checks are designed to find information that foreign enemies could use to information from government workers to turn over classified information. This breach and the stolen information could lean perfectly to these scenarios and put government secrets in danger.
The information stolen is exactly what a foreign government would want – the personal data of employees of the FBI, the CIA, and the NSA.