OPM Data Breach

Last Update: June 3, 2020 Financial News

It has only been a year and a half since the Office of Personnel Management (OPM), the U.S. government’s human resources division. China is believed to be responsible for the hack. In this breach, approximately 21.5 million people’s information was breached and information such as social security numbers, birth dates, fingerprints and addresses were believed to be accessed.

On top of that, SF-86 forms were accessed – these 127-page forms are documents used for conducting background checks for employee security clearances. These forms include just about every bit of personal information imaginable about these individuals. This can include information about family and friends as well and even employee’s interactions with individuals from other countries.

Credit Monitoring Protection Offered to Victims

18 months ago when this happened, the employees were offered free credit monitoring services through a company called Winvale. Today, about 100,000 to 150,000 of those individuals are being asked to take action and re-enroll for the same type of credit monitoring but through another vendor.

Of those victims who are being asked to re-enroll, they are being sent a letter informing them of the change. They are also being given the option to go to OPM cyber security resource center to re-enroll. They will be asked to enroll with a new vendor called ID Experts.

Part of the reason they are being offered service through ID Experts is because it is a part of the General Services Administration blanket purchase agreement, which is a contract worth about $9.1 million.

There are now laws in place that require the OPM to offer credit monitoring to the victims for 10 years due to the extensive amount of personal information that was breached and due to the fact that the breach was enacted by the Chinese. This information could easily be used to harm the United States of America and many lawmakers believe that these individuals should be given monitoring for life.

This issue seems to still be in debate, but the Senate Appropriations Committee approved the 10 year monitoring to be paid for by the OPM.

More details about this story.

Who Discovered This?

One of the most interesting aspects of the original breach was that the Department of Homeland Security was touting the benefits of its EINSTEIN detection program and tried to claim that this program detected the breach. However, this turned out to be entirely false. It took investigators four months to discover the breach and it was uncovered when administrators made upgrades to certain computer systems.

There have been many rumors that the breach was discovered by a company called Cytech Services during a sales demo of its cyber-detection software, but that turned out to be false as well. The breach was discovered by an OPM contract engineer.

Cytech CEO Ben Cotton said that he and his company never actually claimed to have been the first to discover the breach, only that they did indeed discover the breach during their demo and they did not have any knowledge at the time if the breach had previously been uncovered or not.

According to Brendan Saulsbury (the engineer that originally caught the breach), Cytech did not uncover anything that the OPM was not already aware of.

What was The State of The OPM IT Systems?

Obviously, considering the nature of the OPM business you would assume that they would have a large IT security team or an outside vendor that they were engaged with to manage their IT security needs. However, the OPM had absolutely no IT security staff on their payroll until 2013, hence the breach.

According to reports, OPM failed in many different ways:

  • They failed to maintain an inventory of all of its servers, databases and systems that accessed data. They did not even have an inventory of systems that were attached to their networks.
  • The OPM also failed to enforce multi-factor authentication for employees working remotely.
  • There was no encryption of the data that was breached.

There were so many flaws in their IT security that is comes as no surprise that they were victim to one of the largest data breaches in U.S. history.

Who Fall for This?

OPM director at the time was Katherine Archuleta. She was not fired, but she did resign due to many calls from various lawmakers for her firing.

She wrote an email to the OPM staff:

“I write to you this afternoon to share that earlier today, I offered and the President accepted my resignation as the Director of the U.S. Office of Personnel Management. Leading this agency and serving with all of you has been the highlight of my career.”

Her replacement was Beth Cobert, who at the time was the U.S. Chief Performance Officer and a deputy director at the Office of Management and Budget. Beth took over as acting director and is still in that role as of today.

What Could The Victim’s Data Be Used for?

There has been a lot of speculation as to the ways in which the Chinese could use the information. Here are some of the potential uses:

  • Federal background checks are designed to find information that could be used by foreign enemies to to pry information from government workers to turn over classified information. This breach and the stolen information could lend perfectly to these types of scenarios and could put government secrets in danger.
  • The information stolen is exactly what a foreign government would want – personal data of employees of the FBI, the CIA and the NSA.


Recommended Articles


Credit Card Debt Drops for The First Time in 8 Years

EPF December 30, 2020

Despite the current recession, consumers have paid off more than $73 billion in credit card debt during 2020. This is the first time overall credit card debt has decreased since 2013. Since 2014, all debt (mortgage balances, auto loans, personal...


Average FICO Score Hits Record High in 2021

EPF December 27, 2020

Lockdowns across the country prevented many people from eating out in restaurants, shopping in malls, retail stores, and vacation. This could be a contributing factor to the uptick in FICO credit scores. With less opportunity to spend discretionary funds, many...