It has only been a year and a half since the Office of Personnel Management (OPM), the U.S. government’s human resources division. China is believed to be responsible for the hack. In this breach, approximately 21.5 million people’s information was breached and information such as social security numbers, birthdates, fingerprints and addresses were believed to be accessed.
On top of that, SF-86 forms were accessed – these 127-page forms are documents used for conducting background checks for employee security clearances. These forms include just about every bit of personal information imaginable about these individuals. This can include information about family and friends as well and even employee’s interactions with individuals from other countries.
Credit monitoring protection offered to victims
18 months ago when this happened, the employees were offered free credit monitoring services through a company called Winvale. Today, about 100,000 to 150,000 of those individuals are being asked to take action and re-enroll for the same type of credit monitoring but through another vendor.
Of those victims who are being asked to re-enroll, they are being sent a letter informing them of the change. They are also being given the option to go to OPM’s cybersecurity resource center to re-enroll. They will be asked to enroll with a new vendor called ID Experts.
Part of the reason they are being offered service through ID Experts is because it is a part of the General Services Administration’s blanket purchase agreement, which is a contract worth about $9.1 million.
There are now laws in place that require the OPM to offer credit monitoring to the victims for 10 years due to the extensive amount of personal information that was breached and due to the fact that the breach was enacted by the Chinese. This information could easily be used to harm the United States of America and many lawmakers believe that these individuals should be given monitoring for life.
This issue seems to still be in debate, but the Senate Appropriations Committee approved the 10 year monitoring to be paid for by the OPM.
More details about this story…
Who discovered the breach?
One of the most interesting aspects of the original breach was that the Department of Homeland Security was touting the benefits of its EINSTEIN detection program and tried to claim that this program detected the breach. However, this turned out to be entirely false. It took investigators four months to discover the breach and it was uncovered when administrators made upgrades to certain computer systems.
There have been many rumors that the breach was discovered by a company called Cytech Services during a sales demo of its cyber-detection software, but that turned out to be false as well. The breach was discovered by an OPM contract engineer.
Cytech CEO Ben Cotton said that he and his company never actually claimed to have been the first to discover the breach, only that they did indeed discover the breach during their demo and they did not have any knowledge at the time if the breach had previously been uncovered or not.
According to Brendan Saulsbury (the engineer that originally caught the breach), Cytech did not uncover anything that the OPM was not already aware of.
What was the state of the OPM’s IT systems?
Obviously, considering the nature of the OPM’s business you would assume that they would have a large IT security team or an outside vendor that they were engaged with to manage their IT security needs. However, the OPM had absolutely no IT security staff on their payroll until 2013, hence the breach.
According to reports, the OPM failed in many different ways:
- They failed to maintain an inventory of all of its servers, databases and systems that accessed data. They did not even have an inventory of systems that were attached to their networks
- The OPM also failed to enforce multi-factor authentication for employees working remotely
- There was no encryption of the data that was breached.
There were so many flaws in their IT security that is comes as no surprise that they were victim to one of the largest data breaches in U.S. history.
Who took the fall for the breach?
The OPM’s director at the time was Katherine Archuleta. She was not fired, but she did resign due to many calls from various lawmakers for her firing.
She wrote an email to the OPM staff:
“I write to you this afternoon to share that earlier today, I offered and the President accepted my resignation as the Director of the U.S. Office of Personnel Management. Leading this agency and serving with all of you has been the highlight of my career.”
Her replacement was Beth Cobert, who at the time was the U.S. Chief Performance Officer and a deputy director at the Office of Management and Budget. Beth took over as acting director and is still in that role as of today.
What could the victim’s data be used for?
There has been a lot of speculation as to the ways in which the Chinese could use the information. Here are some of the potential uses:
- Federal background checks are designed to find information that could be used by foreign enemies to to pry information from government workers to turn over classified information. This breach and the stolen information could lend perfectly to these types of scenarios and could put government secrets in danger.
- The stolen SF-86 documents also include notes on many government employees and the names and types of involvement that they have had with foreign contacts. If any of these contacts are Chinese and the Chinese were not aware of their involvement with U.S. workers, this information could be used to blackmail or punish the Chinese citizens who kept the contact a secret.
- The information stolen is exactly what a foreign government would want – personal data of employees of the FBI, the CIA and the NSA.