Office of Personnel Management data breach

Last updated

The Office of Personnel Management data breach was a 2015 data breach targeting Standard Form 86 (SF-86) U.S. government security clearance records retained by the United States Office of Personnel Management (OPM). One of the largest breaches of government data in U.S. history, the attack was carried out by an advanced persistent threat based in China, widely believed to be the Jiangsu State Security Department, a subsidiary of the Government of China's Ministry of State Security spy agency.

Contents

In June 2015, OPM announced that it had been the target of a data breach targeting personnel records. [1] Approximately 22.1 million records were affected, including records related to government employees, other people who had undergone background checks, and their friends and family. [2] [3] One of the largest breaches of government data in U.S. history, [1] information that was obtained and exfiltrated in the breach [4] included personally identifiable information such as Social Security numbers, [5] as well as names, dates and places of birth, and addresses. [6] State-sponsored hackers working on behalf of the Chinese government carried out the attack. [4] [7]

The data breach consisted of two separate, but linked, attacks. [8] It is unclear when the first attack occurred but the second attack happened on May 7, 2014, when attackers posed as an employee of KeyPoint Government Solutions, a subcontracting company. The first attack was discovered March 20, 2014, but the second attack was not discovered until April 15, 2015. [8] In the aftermath of the event, Katherine Archuleta, the director of OPM, and the CIO, Donna Seymour, resigned. [9]

Discovery

The first breach, named "X1" by the Department of Homeland Security (DHS), was discovered March 20, 2014 when a third party notified DHS of data exfiltration from OPM's network. [8]

With regards to the second breach, named "X2", the New York Times had reported that the infiltration was discovered using United States Computer Emergency Readiness Team (US-CERT)'s Einstein intrusion-detection program. [10] However, the Wall Street Journal, Wired , Ars Technica , and Fortune later reported that it was unclear how the breach was discovered. They reported that it may have been a product demonstration of CyFIR, a commercial forensic product from a Manassas, Virginia security company CyTech Services that uncovered the infiltration. [11] [12] [13] [14] These reports were subsequently discussed by CyTech Services in a press release issued by the company on June 15, 2015 [15] to clarify contradictions made by OPM spokesman Sam Schumach in a later edit of the Fortune [11] article. However, it was not CyTech Services that uncovered the infiltration; rather, it was detected by OPM personnel using a software product of vendor Cylance. [16] [17] Ultimately, the conclusive House of Representatives' Majority Staff Report on the OPM breach discovered no evidence suggesting that CyTech Services knew of Cylance's involvement or had prior knowledge of an existing breach at the time of its product demonstration, leading to the finding that both tools independently "discovered" the malicious code running on the OPM network. [8]

Data theft

Theft of security clearance information

The data breach compromised highly sensitive 127-page Standard Form 86 (SF 86) (Questionnaire for National Security Positions). [7] [18] SF-86 forms contain information about family members, college roommates, foreign contacts, and psychological information. Initially, OPM stated that family members' names were not compromised, [18] but the OPM subsequently confirmed that investigators had "a high degree of confidence that OPM systems containing information related to the background investigations of current, former, and prospective federal government employees, to include U.S. military personnel, and those for whom a federal background investigation was conducted, may have been exfiltrated." [19] The Central Intelligence Agency, however, does not use the OPM system; therefore, it may not have been affected. [20]

Theft of personal details

J. David Cox, president of the American Federation of Government Employees, wrote in a letter to OPM director Katherine Archuleta that, based on the incomplete information that the AFGE had received from OPM, "We believe that the Central Personnel Data File was the targeted database, and that the hackers are now in possession of all personnel data for every federal employee, every federal retiree, and up to one million former federal employees." [21] Cox stated that the AFGE believes that the breach compromised military records, veterans' status information, addresses, dates of birth, job and pay history, health insurance and life insurance information, pension information, and data on age, gender, and race. [21]

Theft of fingerprints

The stolen data included 5.6 million sets of fingerprints. [22] Biometrics expert Ramesh Kesanupalli said that because of this, secret agents were no longer safe, as they could be identified by their fingerprints, even if their names had been changed. [23]

Perpetrators

The overwhelming consensus is that the cyberattack was carried out by state-sponsored attackers for the Chinese government, specifically the Jiangsu State Security Department. [4] The attack originated in China, [6] and the backdoor tool used to carry out the intrusion, PlugX, has been previously used by Chinese-language hacking groups that target Tibetan and Hong Kong political activists. [4] The use of superhero names is also a hallmark of Chinese-linked hacking groups. [4]

The House Committee on Oversight and Government Reform report on the breach strongly suggested the attackers were state actors due to the use of a very specific and highly developed piece of malware. [8] U.S. Department of Homeland Security official Andy Ozment testified that the attackers had gained valid user credentials to the systems they were attacking, likely through social engineering. The breach also consisted of a malware package which installed itself within OPM's network and established a backdoor. From there, attackers escalated their privileges to gain access to a wide range of OPM's systems. In an article that came out before the House Oversight report, Ars Technica reported on poor security practices at OPM contractors that at least one worker with root access to every row in every database was physically located in China and another contractor had two employees with Chinese passports. [24] However these were discussed as poor security practices but not the actual source of the leak.

China denied responsibility for the attack. [25]

In 2017, Chinese national Yu Pingan was arrested on charges of providing the "Sakula" malware used in the OPM data breach and other cyberintrusions. [26] [27] The FBI arrested Yu at Los Angeles International Airport after he had flown to the U.S. for a conference. [26] [27] Yu spent 18 months at the San Diego federal detention center and pleaded guilty to the federal offense of conspiracy to commit computer hacking and was subsequently deported to China. [27] He was sentenced to time served in February 2019 and permitted to return to China; by the end of that year, Yu was working as a teacher at the government-run Shanghai Commercial School in central Shanghai. [27] Yu was sentenced to pay $1.1 million in restitution to companies targeted by the malware, although there is little possibility of actual repayment. [27] Yu was one of a very small number of Chinese hackers to be arrested and convicted in the U.S.; most hackers are never apprehended. [27]

Motive

Whether the attack was motivated by commercial gain remains unclear. [10] It has been suggested that hackers working for the Chinese military intend to compile a database of Americans using the data obtained from the breach. [25]

Warnings

The OPM had been warned multiple times of security vulnerabilities and failings. A March 2015 OPM Office of the Inspector General semi-annual report to Congress warned of "persistent deficiencies in OPM's information system security program," including "incomplete security authorization packages, weaknesses in testing of information security controls, and inaccurate Plans of Action and Milestones." [28] [29]

A July 2014 story in The New York Times quoted unnamed senior American officials saying that Chinese hackers had broken into OPM. The officials said that the hackers seemed to be targeting files on workers who had applied for security clearances, and had gained access to several databases, but had been stopped before they obtained the security clearance information. In an interview later that month, Katherine Archuleta, the director of OPM, said that the most important thing was that no personal identification information had been compromised. [20] [30] [31]

Responsibility

Some lawmakers made calls for Archuleta to resign citing mismanagement and that she was a political appointee and former Obama campaign official with no degree or experience in human resources. She responded that neither she nor OPM chief information officer Donna Seymour would do so. "I am committed to the work that I am doing at OPM," Archuleta told reporters. "I have trust in the staff that is there." [2] On July 10, 2015, Archuleta resigned as OPM director. [32]

Daniel Henninger, deputy editorial page director of the Wall Street Journal , speaking on Fox News' Journal Editorial Report , criticized the appointment of Archuleta to be "in charge of one of the most sensitive agencies" in the U.S. government, saying: "What is her experience to run something like that? She was the national political director of Barack Obama's 2012 re-election campaign. She's also the head of something called the Latina Initiative. She's a politico, right? ... That is the kind of person they have put in." [33]

Security experts have stated that the biggest problem with the breach was not the failure to prevent remote break-ins, but the absence of mechanisms to detect outside intrusion and the lack of proper encryption of sensitive data. OPM CIO Donna Seymour countered that criticism by pointing to the agency's aging systems as the primary obstacle to putting such protections in place, despite having encryption tools available. DHS Assistant Secretary for Cybersecurity and Communications Andy Ozment explained further that, "If an adversary has the credentials of a user on the network, then they can access data even if it's encrypted, just as the users on the network have to access data, and that did occur in this case. So encryption in this instance would not have protected this data." [34]

Investigation

A July 22, 2015 memo by Inspector General Patrick McFarland said that OPM's Chief Information Officer Donna Seymour was slowing her investigation into the breach, leading him to wonder whether or not she was acting in good faith. He did not raise any specific claims of misconduct, but he did say that her office was fostering an "atmosphere of mistrust" by giving him "incorrect or misleading" information. [35] On Monday 22 February 2016, CIO Donna Seymour resigned, just two days before she was scheduled to testify before a House panel that is continuing to investigate the data breach. [36]

In 2018, the OPM was reportedly still vulnerable to data thefts, with 29 of the Government Accountability Office's 80 recommendations remaining unaddressed. [37] In particular, the OPM was reportedly still using passwords that had been stolen in the breach. [37] It also had not discontinued the practice of sharing administrative accounts between users, despite that practice having been recommended against as early as 2003. [37]

Reactions

FBI Director James Comey stated: "It is a very big deal from a national security perspective and from a counterintelligence perspective. It's a treasure trove of information about everybody who has worked for, tried to work for, or works for the United States government." [38]

Speaking at a forum in Washington, D.C., Director of National Intelligence James R. Clapper said: "You have to kind of salute the Chinese for what they did. If we had the opportunity to do that, I don't think we'd hesitate for a minute." [39]

See also

Related Research Articles

<span class="mw-page-title-main">Computer security</span> Protection of computer systems from information disclosure, theft or damage

Computer security, cybersecurity, digital security or information technology security is the protection of computer systems and networks from attacks by malicious actors that may result in unauthorized information disclosure, theft of, or damage to hardware, software, or data, as well as from the disruption or misdirection of the services they provide.

<span class="mw-page-title-main">Equifax</span> American consumer credit reporting agency

Equifax Inc. is an American multinational consumer credit reporting agency headquartered in Atlanta, Georgia and is one of the three largest consumer credit reporting agencies, along with Experian and TransUnion. Equifax collects and aggregates information on over 800 million individual consumers and more than 88 million businesses worldwide. In addition to credit and demographic data and services to business, Equifax sells credit monitoring and fraud prevention services directly to consumers.

<span class="mw-page-title-main">United States Office of Personnel Management</span> United States federal government agency

The United States Office of Personnel Management (OPM) is an independent agency of the United States government that manages the United States federal civil service. The agency provides federal human resources policy, oversight, and support, and tends to healthcare (FEHB), life insurance (FEGLI), and retirement benefits for federal government employees, retirees, and their dependents.

<span class="mw-page-title-main">Timeline of Internet conflicts</span>

The Internet has a long history of turbulent relations, major maliciously designed disruptions, and other conflicts. This is a list of known and documented Internet, Usenet, virtual community and World Wide Web related conflicts, and of conflicts that touch on both offline and online worlds with possibly wider reaching implications.

A data breach is a security violation, in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen, altered or used by an individual unauthorized to do so. Other terms are unintentional information disclosure, data leak, information leakage and data spill. Incidents range from concerted attacks by individuals who hack for personal gain or malice, organized crime, political activists or national governments, to poorly configured system security or careless disposal of used computer equipment or data storage media. Leaked information can range from matters compromising national security, to information on actions which a government or official considers embarrassing and wants to conceal. A deliberate data breach by a person privy to the information, typically for political purposes, is more often described as a "leak".

A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry, to a government sector. A supply chain attack can happen in software or hardware. Cybercriminals typically tamper with the manufacturing or distribution of a product by installing malware or hardware-based spying components. Symantec's 2019 Internet Security Threat Report states that supply chain attacks increased by 78 percent in 2018.

Trellix is a privately held cybersecurity company that was founded in 2022. It has been involved in the detection and prevention of major cybersecurity attacks. It provides hardware, software, and services to investigate cybersecurity attacks, protect against malicious software, and analyze IT security risks.

e-QIP

e-QIP is a secure website managed by OPM that is designed to automate the common security questionnaires used to process federal background investigations. e-QIP was created in 2003 as part of the larger e-Clearance initiative designed to speed up the process of federal background investigations conducted by OPM's Federal Investigative Services (FIS). e-QIP is a front end data collection tool that has automated the SF-86, questionnaire for national security investigations as well as the SF-85P, the questionnaire for public trust positions. e-QIP allows applicants for federal jobs to enter, edit and submit their investigation data over a secure internet connection to their sponsoring agency for review and approval.

Cyberwarfare is the use of computer technology to disrupt the activities of a state or organization, especially the deliberate attacking of information systems for strategic or military purposes. As a major developed economy, the United States is highly dependent on the Internet and therefore greatly exposed to cyber attacks. At the same time, the United States has substantial capabilities in both defense and power projection thanks to comparatively advanced technology and a large military budget. Cyber warfare presents a growing threat to physical systems and infrastructures that are linked to the internet. Malicious hacking from domestic or foreign enemies remains a constant threat to the United States. In response to these growing threats, the United States has developed significant cyber capabilities.

Cyberwarfare by China is the aggregate of all combative activities in the cyberspace which are taken by organs of the People's Republic of China, including affiliated advanced persistent threat groups, against other countries.

USIS (US Investigation Services) was a US corporation that provided security-based information and service solutions to both government and corporate customers, in the United States and abroad. Its corporate headquarters were in Falls Church, Virginia, in Greater Washington, D.C. Training took place in Boyers, Pennsylvania. USIS was a part of Altegrity Inc., a company headquartered in the Falls Church area that was owned by Providence Equity Partners.

<span class="mw-page-title-main">Katherine Archuleta</span> American educator and political executive

Katherine L. Archuleta is an American teacher and a political executive. She was the director of the United States Office of Personnel Management. President Barack Obama appointed her on May 23, 2013. She was sworn in on November 4, 2013. She had previously served as National Political Director for Obama's 2012 reelection campaign. Prior to that, she had been executive director of the National Hispanic Cultural Center Foundation in New Mexico, had co-founded the Latina Initiative, had worked at a Denver law firm, and had worked in the Clinton Administration as chief of staff to the Secretary of Transportation, Federico Peña. She became embroiled in controversy after the disclosure of a massive national security breach in June 2015. The hack involved the theft of millions of federal employee records and included security-clearance details dating back 15 years, which prompted lawmakers from both political parties to demand that she resign. On July 10, 2015, Archuleta tendered her resignation.

Cozy Bear, classified by the United States federal government as advanced persistent threat APT29, is a Russian hacker group believed to be associated with one or more intelligence agencies of Russia. The Dutch General Intelligence and Security Service (AIVD) deduced from security camera footage that it is led by the Russian Foreign Intelligence Service (SVR), a view shared by the United States. Cybersecurity firm CrowdStrike also previously suggested that it may be associated with either the Russian Federal Security Service (FSB) or SVR. The group has been given various nicknames by other cybersecurity firms, including CozyCar, CozyDuke, Dark Halo, The Dukes, Midnight Blizzard, NOBELIUM, Office Monkeys, StellarParticle, UNC2452, and YTTRIUM.

Lazarus Group is a hacker group made up of an unknown number of individuals, alleged to be run by the government of North Korea. While not much is known about the Lazarus Group, researchers have attributed many cyberattacks to them between 2010 and 2021. Originally a criminal group, the group has now been designated as an advanced persistent threat due to intended nature, threat, and wide array of methods used when conducting an operation. Names given by cybersecurity organizations include Hidden Cobra and ZINC or Diamond Sleet. According to North Korean defector Kim Kuk-song, the unit is internally known in North Korea as 414 Liaison Office.

The Internet service company Yahoo! was subjected to the largest data breach on record. Two major data breaches of user account data to hackers were revealed during the second half of 2016. The first announced breach, reported in September 2016, had occurred sometime in late 2014, and affected over 500 million Yahoo! user accounts. A separate data breach, occurring earlier around August 2013, was reported in December 2016. Initially believed to have affected over 1 billion user accounts, Yahoo! later affirmed in October 2017 that all 3 billion of its user accounts were impacted. Both breaches are considered the largest discovered in the history of the Internet. Specific details of material taken include names, email addresses, telephone numbers, encrypted or unencrypted security questions and answers, dates of birth, and hashed passwords. Further, Yahoo! reported that the late 2014 breach likely used manufactured web cookies to falsify login credentials, allowing hackers to gain access to any account without a password.

The Equifax data breach occurred between May and July 2017 at the American credit bureau Equifax. Private records of 147.9 million Americans along with 15.2 million British citizens and about 19,000 Canadian citizens were compromised in the breach, making it one of the largest cybercrimes related to identity theft. In a settlement with the United States Federal Trade Commission, Equifax offered affected users settlement funds and free credit monitoring.

Government hacking permits the exploitation of vulnerabilities in electronic products, especially software, to gain remote access to information of interest. This information allows government investigators to monitor user activity and interfere with device operation. Government attacks on security may include malware and encryption backdoors. The National Security Agency's PRISM program and Ethiopia's use of FinSpy are notable examples.

<span class="mw-page-title-main">Jiangsu State Security Department</span> Provincial department of Chinas Ministry of State Security

The Jiangsu State Security Department is a provincial bureau of the Chinese Ministry of State Security in Jiangsu which serves as the coastal province's intelligence service and secret police. They are involved extensively in espionage against the United States, and aviation-related industrial espionage, operating the hacking group TURBINE PANDA, also known as APT26. They are most well known for their alleged responsibility for the high-profile 2015 hack of the United States Office of Personnel Management, stealing the personal details of over 20 million U.S. federal civil servants.

References

  1. 1 2 Barrett, Devlin (5 June 2015). "U.S. Suspects Hackers in China Breached About four (4) Million People's Records, Officials Say". Wall Street Journal. Retrieved 5 June 2015.
  2. 1 2 Zengerle, Patricia; Cassella, Megan (2015-07-09). "Estimate of Americans hit by government personnel data hack skyrockets". Reuters . Retrieved 2015-07-09.
  3. Nakashima, Ellen (9 July 2015). "Hacks of OPM databases compromised 22.1 million people, federal authorities say". The Washington Post. Retrieved 19 July 2020.
  4. 1 2 3 4 5 Fruhlinger, Josh (2020-02-12). "The OPM hack explained: Bad security practices meet China's Captain America". CSO Online. Retrieved 2023-05-29.
  5. Risen, Tom (5 June 2015). "China Suspected in Theft of Federal Employee Records". U.S. News & World Report. Retrieved 5 June 2015.
  6. 1 2 Sanders, Sam (4 June 2015). "Massive Data Breach Puts 4 Million Federal Employees' Records At Risk". NPR. Retrieved 5 June 2015.
  7. 1 2 Garrett M. Graff, China's Hacking Spree Will Have a Decades-Long Fallout, Wired (February 11, 2020).
  8. 1 2 3 4 5 Chaffetz, Jason (September 7, 2016). "The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation" (PDF). House Committee on Oversight and Government Reform. Archived from the original (PDF) on September 21, 2018. Retrieved October 4, 2019.
  9. Boyd, Aaron (2017-08-08). "OPM CIO Seymour resigns days before Oversight hearing". Federal Times. Retrieved 2017-12-04.
  10. 1 2 Sanger, David E. (5 June 2015). "Hacking Linked to China Exposes Millions of U.S. Workers". New York Times. Retrieved 5 June 2015.
  11. 1 2 "A product demo revealed the 'biggest ever' government data breach - Fortune". Fortune. Retrieved 10 July 2015.
  12. Kim Zetter and Andy Greenberg (11 June 2015). "Why The OPM Breach Is Such a Security and Privacy Debacle". Wired. Retrieved 10 July 2015.
  13. "Report: Hack of government employee records discovered by product demo". Ars Technica. 11 June 2015. Retrieved 10 July 2015.
  14. Damian Paletta And Siobhan Hughes (10 June 2015). "U.S. Spy Agencies Join Probe of Personnel-Records Theft". WSJ. Retrieved 10 July 2015.
  15. "CyTech Services Confirms Assistance to OPM Breach Response". PRWeb. 15 June 2015. Retrieved 10 July 2015.
  16. "Credit for discovering the OPM breach". POLITICO. 27 May 2016. Retrieved 2016-09-17.
  17. "Surprise! House Oversight report blames OPM leadership for breach of records". 7 September 2016. Retrieved 2016-09-17.
  18. 1 2 Mike Levine. "OPM Hack Far Deeper Than Publicly Acknowledged, Went Undetected For More Than A Year, Sources Say".
  19. "Breach of Employee Data Wider Than Initial Report, U.S. Says". Bloomberg.com. June 12, 2015 via www.bloomberg.com.
  20. 1 2 Auerbach, David. "The OPM Breach Is a Catastrophe".
  21. 1 2 Ken Dilanian, Union: Hackers have personnel data on every federal employee, Associated Press (June 11, 2015).
  22. Sanger, David E. (2015-09-23). "Hackers Took Fingerprints of 5.6 Million U.S. Workers, Government Says". The New York Times. ISSN   0362-4331 . Retrieved 2015-09-23.
  23. Paglieri, Jose (10 July 2015). "OPM hack's unprecedented haul: 1.1 million fingerprints" . Retrieved 11 July 2015.
  24. Gallagher, Sean. "Encryption "would not have helped" at OPM, says DHS official".
  25. 1 2 Liptak, Kevin (4 June 2015). "U.S. government hacked; feds think China is the culprit". CNN. Retrieved 5 June 2015.
  26. 1 2 Devlin Barrett (August 24, 2017). "Chinese national arrested for allegedly using malware linked to OPM hack". Washington Post.
  27. 1 2 3 4 5 6 Steve Stecklow & Alexandra Harney, Exclusive: Malware broker behind U.S. hacks is now teaching computer skills in China, Reuters (December 24, 2019).
  28. David Auerbach, The OPM Breach Is a Catastrophe: First the government must own up to its failure. Then the feds should follow this plan to fix it, Slate (June 16, 2015).
  29. Office of Personnel Management, Office of the Inspector General, Semiannual Report to Congress: October 1, 2014–March 31, 2015.
  30. Schmidt, Michael S.; Sanger, David E.; Perlroth, Nicole (10 July 2014). "Chinese Hackers Pursue Key Data on U.S. Workers". The New York Times . Retrieved 29 June 2015.
  31. Jackson, George. "Archuleta on attempted breach and USIS" . Retrieved 29 June 2015.
  32. Davis, Julie H. (10 July 2015). "Katherine Archuleta, Director of Office of Personnel Management, Resigns". The New York Times . Retrieved 10 July 2015.
  33. Too Much Information: A transcript of the weekend's program on FOX News Channel (July 12, 2015).
  34. Aaron Boyd (22 June 2015). "OPM breach a failure on encryption, detection". Federal Times . Retrieved 17 November 2015.
  35. "Watchdog accuses OPM of hindering hack investigation". Fox News . Retrieved 8 August 2015.
  36. "OPM's cybersecurity chief resigns in wake of massive data breach". USA Today . Retrieved 23 February 2016.
  37. 1 2 3 Mathews, Lee. "Office Of Personnel Management Still Vulnerable 3 Years After Massive Hack". Forbes.
  38. "Hacks of OPM databases compromised 22.1 million people, federal authorities say". The Washington Post. July 9, 2015.
  39. Julianne Pepitone, China Is 'Leading Suspect' in OPM Hacks, Says Intelligence Chief James Clapper, NBC News (June 25, 2015).
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.