In June 2015, the
United States Office of Personnel Management
The United States Office of Personnel Management (OPM) is an independent agency of the United States Federal Government that manages the US civilian service. The agency provides federal human resources policy, oversight and support, and tends t ...
(OPM) announced that it had been the target of a
data breach
A data breach is a security violation, in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so. Other terms are unintentional information disclosure, data leak, info ...
targeting personnel records.
Approximately 22.1 million records were affected, including records related to government employees, other people who had undergone background checks, and their friends and family.
One of the largest breaches of government data in U.S. history,
information that was obtained and
exfiltrated in the breach
[Josh Fruhlinger]
The OPM hack explained: Bad security practices meet China's Captain America
''CSO'' (February 12, 2020)./ included
personally identifiable information
Personal data, also known as personal information or personally identifiable information (PII), is any information related to an identifiable person.
The abbreviation PII is widely accepted in the United States, but the phrase it abbreviates ha ...
such as
Social Security number
In the United States, a Social Security number (SSN) is a nine-digit number issued to U.S. citizens, permanent residents, and temporary (working) residents under section 205(c)(2) of the Social Security Act, codified as . The number is issued to ...
s, as well as names, dates and places of birth, and addresses.
State-sponsored hackers working on behalf of the
Chinese government
The Government of the People's Republic of China () is an authoritarian political system in the People's Republic of China under the exclusive political leadership of the Chinese Communist Party (CCP). It consists of legislative, executive, mili ...
carried out the attack.
[Garrett M. Graff]
China's Hacking Spree Will Have a Decades-Long Fallout
''Wired'' (February 11, 2020).
The data breach consisted of two separate, but linked, attacks. It is unclear when the first attack occurred but the second attack happened on May 7, 2014, when attackers posed as an employee of KeyPoint Government Solutions, a subcontracting company. The first attack was discovered March 20, 2014, but the second attack was not discovered until April 15, 2015. In the aftermath of the event, Katherine Archuleta
Katherine L. Archuleta (born c.1949) is an American teacher and a political executive. She was the director of the United States Office of Personnel Management. President Barack Obama appointed her on May 23, 2013. She was sworn in on November 4, 2 ...
, the director of OPM, and the CIO, Donna Seymour, resigned.
Discovery
The first breach, named "X1" by the Department of Homeland Security
The United States Department of Homeland Security (DHS) is the U.S. federal executive department responsible for public security, roughly comparable to the interior or home ministries of other countries. Its stated missions involve anti-terr ...
(DHS), was discovered March 20, 2014 when a third party notified DHS of data exfiltration from OPM's network.
With regards to the second breach, named "X2", the ''New York Times'' had reported that the infiltration was discovered using United States Computer Emergency Readiness Team
The United States Computer Emergency Readiness Team (US-CERT) is an organization within the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA). Specifically, US-CERT is a branch of the Office of C ...
(US-CERT)'s
Einstein
Albert Einstein ( ; ; 14 March 1879 – 18 April 1955) was a German-born theoretical physicist, widely acknowledged to be one of the greatest and most influential physicists of all time. Einstein is best known for developing the theory ...
intrusion-detection program. However, the ''Wall Street Journal'', ''Wired
''Wired'' (stylized as ''WIRED'') is a monthly American magazine, published in print and online editions, that focuses on how emerging technologies affect culture, the economy, and politics. Owned by Condé Nast, it is headquartered in San Fra ...
'', ''Ars Technica
''Ars Technica'' is a website covering news and opinions in technology, science, politics, and society, created by Ken Fisher and Jon Stokes in 1998. It publishes news, reviews, and guides on issues such as computer hardware and software, sci ...
'', and ''Fortune'' later reported that it was unclear how the breach was discovered. They reported that it may have been a product demonstration of CyFIR, a commercial forensic product from a Manassas, Virginia
Manassas (), formerly Manassas Junction, is an independent city in the Commonwealth of Virginia, United States. The population was 42,772 at the 2020 Census. It is the county seat of Prince William County, although the two are separate jurisdi ...
security company CyTech Services that uncovered the infiltration. These reports were subsequently discussed by CyTech Services in a press release issued by the company on June 15, 2015 to clarify contradictions made by OPM spokesman Sam Schumach in a later edit of the Fortune article. However, it was not CyTech Services that uncovered the infiltration; rather, it was detected by OPM personnel using a software product of vendor Cylance. Ultimately, the conclusive House of Representatives' Majority Staff Report on the OPM breach discovered no evidence suggesting that CyTech Services knew of Cylance's involvement or had prior knowledge of an existing breach at the time of its product demonstration, leading to the finding that both tools independently "discovered" the malicious code running on the OPM network.
Data theft
Theft of security clearance information
The data breach compromised highly sensitive 127-page Standard Form 86
Standard Form 86 (SF 86) is a U.S. government questionnaire that individuals complete in order for the government to collect information for "conducting background investigations, reinvestigations, and continuous evaluations of persons under consid ...
(SF 86) (Questionnaire for National Security Positions). SF-86 forms contain information about family members, college roommates, foreign contacts, and psychological information. Initially, OPM stated that family members' names were not compromised,[ but the OPM subsequently confirmed that investigators had "a high degree of confidence that OPM systems containing information related to the background investigations of current, former, and prospective federal government employees, to include U.S. military personnel, and those for whom a federal background investigation was conducted, may have been exfiltrated."] The Central Intelligence Agency
The Central Intelligence Agency (CIA ), known informally as the Agency and historically as the Company, is a civilian foreign intelligence service of the federal government of the United States, officially tasked with gathering, processing, ...
, however, does not use the OPM system; therefore, it may not have been affected.
Theft of personal details
J. David Cox, president of the American Federation of Government Employees
The American Federation of Government Employees (AFGE) is an American labor union representing over 670,000 employees of the federal government, about 5,000 employees of the District of Columbia, and a few hundred private sector employees, mo ...
, wrote in a letter to OPM director Katherine Archuleta that, based on the incomplete information that the AFGE had received from OPM, "We believe that the Central Personnel Data File was the targeted database, and that the hackers are now in possession of all personnel data for every federal employee, every federal retiree, and up to one million former federal employees."[Ken Dilanian]
Union: Hackers have personnel data on every federal employee
Associated Press (June 11, 2015). Cox stated that the AFGE believes that the breach compromised military records, veterans' status information, addresses, dates of birth, job and pay history, health insurance and life insurance information, pension information, and data on age, gender, and race.
Theft of fingerprints
The stolen data included 5.6 million sets of fingerprints. Biometrics expert Ramesh Kesanupalli said that because of this, secret agents were no longer safe, as they could be identified by their fingerprints, even if their names had been changed.
Perpetrators
The overwhelming consensus is that the cyberattack was carried out by state-sponsored attackers for the Chinese government
The Government of the People's Republic of China () is an authoritarian political system in the People's Republic of China under the exclusive political leadership of the Chinese Communist Party (CCP). It consists of legislative, executive, mili ...
.[ The attack originated in China,] and the backdoor
A back door is a door in the rear of a building. Back door may also refer to:
Arts and media
* Back Door (jazz trio), a British group
* Porta dos Fundos (literally “Back Door” in Portuguese) Brazilian comedy YouTube channel.
* Works so title ...
tool used to carry out the intrusion, PlugX, has been previously used by Chinese-language hacking groups that target Tibetan and Hong Kong political activists.[ The use of superhero names is also a hallmark of Chinese-linked hacking groups.][
The House Committee on Oversight and Government Reform report on the breach strongly suggested the attackers were state actors due to the use of a very specific and highly developed piece of ]malware
Malware (a portmanteau for ''malicious software'') is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, depri ...
. U.S. Department of Homeland Security
The United States Department of Homeland Security (DHS) is the U.S. federal executive department responsible for public security, roughly comparable to the interior or home ministries of other countries. Its stated missions involve anti-terr ...
official Andy Ozment testified that the attackers had gained valid user credentials to the systems they were attacking, likely through social engineering. The breach also consisted of a malware package which installed itself within OPM's network and established a backdoor. From there, attackers escalated their privileges to gain access to a wide range of OPM's systems. ''In an article that came out before the House Oversight report Ars Technica'' reported on poor security practices at OPM contractors that at least one worker with root access
In computing, the superuser is a special user account used for system administration. Depending on the operating system (OS), the actual name of this account might be root, administrator, admin or supervisor. In some cases, the actual name of t ...
to every row
Row or ROW may refer to:
Exercise
*Rowing, or a form of aquatic movement using oars
*Row (weight-lifting), a form of weight-lifting exercise
Math
*Row vector, a 1 × ''n'' matrix in linear algebra.
*Row (database), a single, implicitly structured ...
in every database was physically located in China and another contractor had two employees with Chinese passport
The People's Republic of China Passport (), commonly referred to as the Chinese passport, is a passport issued to citizens of the People's Republic of China (PRC) for the purpose of international travel, and entitles its bearer to the protecti ...
s,. However these were discussed as poor security practices, but not the actual source of the leak.
China
China, officially the People's Republic of China (PRC), is a country in East Asia. It is the world's most populous country, with a population exceeding 1.4 billion, slightly ahead of India. China spans the equivalent of five time zones and ...
denied responsibility for the attack.
In 2017, Chinese national Yu Pingan was arrested on charges of providing the "Sakula" malware used in the OPM data breach and other cyberintrusions.[Steve Stecklow & Alexandra Harney]
Exclusive: Malware broker behind U.S. hacks is now teaching computer skills in China
Reuters (December 24, 2019). The FBI arrested Yu at Los Angeles International Airport
Los Angeles International Airport , commonly referred to as LAX (with each letter pronounced individually), is the primary international airport serving Los Angeles, California and its surrounding metropolitan area. LAX is located in the W ...
after he had flown to the U.S. for a conference.[ Yu spent 18 months at the San Diego federal detention center and pleaded guilty to the federal offense of conspiracy to commit computer hacking and was subsequently deported to China.][ He was sentenced to time served in February 2019 and permitted to return to China; by the end of that year, Yu was working as a teacher at the government-run Shanghai Commercial School in central ]Shanghai
Shanghai (; , , Standard Mandarin pronunciation: ) is one of the four direct-administered municipalities of the People's Republic of China (PRC). The city is located on the southern estuary of the Yangtze River, with the Huangpu River flow ...
.[ Yu was sentenced to pay $1.1 million in restitution to companies targeted by the malware, although there is little possibility of actual repayment.][ Yu was one of a very small number of Chinese hackers to be arrested and convicted in the U.S.; most hackers are never apprehended.][
]
Motive
Whether the attack was motivated by commercial gain remains unclear. It has been suggested that hackers working for the Chinese military intend to compile a database of Americans using the data obtained from the breach.[
]
Warnings
The OPM had been warned multiple times of security vulnerabilities and failings. A March 2015 OPM Office of the Inspector General
In the United States, Office of Inspector General (OIG) is a generic term for the oversight division of a federal or state agency aimed at preventing inefficient or unlawful operations within their parent agency. Such offices are attached to man ...
semi-annual report to Congress warned of "persistent deficiencies in OPM's information system security program," including "incomplete security authorization packages, weaknesses in testing of information security controls, and inaccurate Plans of Action and Milestones."
A July 2014 story in ''The New York Times
''The New York Times'' (''the Times'', ''NYT'', or the Gray Lady) is a daily newspaper based in New York City with a worldwide readership reported in 2020 to comprise a declining 840,000 paid print subscribers, and a growing 6 million paid ...
'' quoted unnamed senior American officials saying that Chinese hackers had broken into OPM. The officials said that the hackers seemed to be targeting files on workers who had applied for security clearances, and had gained access to several databases, but had been stopped before they obtained the security clearance information. In an interview later that month, Katherine Archuleta
Katherine L. Archuleta (born c.1949) is an American teacher and a political executive. She was the director of the United States Office of Personnel Management. President Barack Obama appointed her on May 23, 2013. She was sworn in on November 4, 2 ...
, the director of OPM, said that the most important thing was that no personal identification information had been compromised.
Responsibility
Some lawmakers made calls for Archuleta to resign citing mismanagement and that she was a political appointee and former Obama campaign official with no degree or experience in human resources
Human resources (HR) is the set of people who make up the workforce of an organization, business sector, industry, or economy. A narrower concept is human capital, the knowledge and skills which the individuals command. Similar terms include m ...
. She responded that neither she nor OPM chief information officer Donna Seymour would do so. "I am committed to the work that I am doing at OPM," Archuleta told reporters. "I have trust in the staff that is there." On July 10, 2015, Archuleta resigned as OPM director.
Daniel Henninger
Daniel Henninger is a conservative American commentator. He serves as the deputy editorial page director of ''The Wall Street Journal'', and is a Fox News contributor.
Early life
Henninger was born in Cleveland, Ohio. He is a graduate of George ...
, deputy editorial page director of the ''Wall Street Journal
''The Wall Street Journal'' is an American business-focused, international daily newspaper based in New York City, with international editions also available in Chinese and Japanese. The ''Journal'', along with its Asian editions, is published ...
'', speaking on Fox News
The Fox News Channel, abbreviated FNC, commonly known as Fox News, and stylized in all caps, is an American multinational conservative cable news television channel based in New York City. It is owned by Fox News Media, which itself is owne ...
' ''Journal Editorial Report
The ''Journal Editorial Report'' is a weekly American interview and panel discussion TV program on Fox News Channel, hosted by Paul Gigot, editorial page editor of ''The Wall Street Journal''. Prior to moving to Fox News, the show aired on PBS f ...
'', criticized the appointment of Archuleta to be "in charge of one of the most sensitive agencies" in the U.S. government, saying: "What is her experience to run something like that? She was the national political director of Barack Obama's 2012 re-election campaign. She's also the head of something called the Latina Initiative. She's a politico, right? ... That is the kind of person they have put in."[Too Much Information: A transcript of the weekend's program on FOX News Channel](_blank)
(July 12, 2015).
Security experts have stated that the biggest problem with the breach was not the failure to prevent remote break-ins, but the absence of mechanisms to detect outside intrusion and the lack of proper encryption
In cryptography, encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only authorized parties can decip ...
of sensitive data. OPM CIO Donna Seymour countered that criticism by pointing to the agency's aging systems as the primary obstacle to putting such protections in place, despite having encryption tools available. DHS Assistant Secretary for Cybersecurity and Communications Andy Ozment explained further that, "If an adversary has the credentials of a user on the network, then they can access data even if it's encrypted, just as the users on the network have to access data, and that did occur in this case. So encryption in this instance would not have protected this data."
Investigation
A July 22, 2015 memo by Inspector General Patrick McFarland said that OPM's Chief Information Officer Donna Seymour was slowing her investigation into the breach, leading him to wonder whether or not she was acting in good faith. He did not raise any specific claims of misconduct, but he did say that her office was fostering an "atmosphere of mistrust" by giving him "incorrect or misleading" information. On Monday 22 February 2016, CIO Donna Seymour resigned, just two days before she was scheduled to testify before a House panel that is continuing to investigate the data breach.
In 2018, the OPM was reportedly still vulnerable to data thefts, with 29 of the Government Accountability Office's 80 recommendations remaining unaddressed. In particular, the OPM was reportedly still using passwords that had been stolen in the breach. It also had not discontinued the practice of sharing administrative accounts between users, despite that practice having been recommended against as early as 2003.
Reactions
FBI Director James Comey
James Brien Comey Jr. (; born December 14, 1960) is an American lawyer who was the seventh director of the Federal Bureau of Investigation (FBI) from 2013 until his dismissal in May 2017. Comey was a registered Republican for most of his adul ...
stated: "It is a very big deal from a national security perspective and from a counterintelligence perspective. It's a treasure trove of information about everybody who has worked for, tried to work for, or works for the United States government."
Speaking at a forum in Washington, D.C., Director of National Intelligence James R. Clapper
James Robert Clapper Jr. (born March 14, 1941) is a retired lieutenant general in the United States Air Force and former Director of National Intelligence. Clapper has held several key positions within the United States Intelligence Community. H ...
said: "You have to kind of salute the Chinese for what they did. If we had the opportunity to do that, I don't think we'd hesitate for a minute."[Julianne Pepitone]
China Is 'Leading Suspect' in OPM Hacks, Says Intelligence Chief James Clapper
NBC News (June 25, 2015).
See also
*
* Cyberwarfare by China
Cyberwarfare by China is the aggregate of all combative activities in the cyberspace which are taken by organs of the People's Republic of China, including affiliated advanced persistent threat groups, against other countries.
Organization
Wh ...
* Operation Aurora
Operation Aurora was a series of cyber attacks conducted by advanced persistent threats such as the Elderwood Group based in Beijing, China, with ties to the People's Liberation Army. First publicly disclosed by Google on January 12, 2010, in a ...
* Yahoo! data breaches
The Internet service company Yahoo! was subjected to the largest data breach on record. Two major data breaches of user account data to hackers were revealed during the second half of 2016. The first announced breach, reported in September 2016, ...
References
{{Hacking in the 2010s
Data breaches in the United States
Cyberattacks
Cyberwarfare by China
Cyberwarfare in the United States
United States Office of Personnel Management