On June 4, 2015, the Office of Personnel Management (“OPM”) announced it had detected a massive data breach of its IT networks that exposed data in the personnel files of approximately four million current and former federal employees. The exposed data included personally identifying information (PII), such as social security numbers, birth date and place, addresses, information related to job assignments, training records and benefits selections. The breach occurred in December 2014. OPM became aware of the breach in April 2015 while conducting an update of its IT systems. After working with law enforcement, OPM learned in May 2015 that the breach involved the theft of employee data. OPM said in its news release that the hack occurred before it updated its IT systems with tougher security controls.
The Federal Bureau of Investigation (“FBI”) and U.S. Department of Homeland Security’s Computer Emergency Readiness Team (“US-CERT”) are investigating this incident. Although attribution is difficult in cases involving malicious cyber activity, media reports citing unnamed government officials attribute the OPM hack to a Chinese state-sponsored entity that targeted a particular OPM data center stored at the U.S. Department of the Interior. Unlike the recent Sony hack that law enforcement attributed to North Korea, law enforcement has not yet publicly attributed the OPM breach to any particular entity.
While investigating the hack, OPM recently acknowledged it may have uncovered a separate and potentially more damaging attack by the same entity, which may have hacked a second database containing security clearance information for millions of former, current, and prospective government employees. Though law enforcement is still investigating, the potentially exposed files could contain PII, financial information, medical histories, criminal records, employment history and contact information.
OPM is taking measures to strengthen its networks, including restricting remote access, reviewing connections to the internet for legitimate business purposes, and deploying anti-malware software.