From Home Depot to Target to Sony, the world is not lacking in the massive-data-breach department. These hacks have opened up a host of problems for the companies involved, including lawsuits and the implementation of more secure systems to protect sensitive data, as well as for the individuals whose personal and/or financial information may have been compromised. But surely our federal government is safe from hackers, right? The answer, unfortunately, is no.
The Office of Personnel Management (“OPM”) is a federal governmental organization that is “responsible for personnel management of the civil service of the Government,” and it strives “to make the Federal government America’s model employer for the 21st century.” See https://www.opm.gov/about-us/our-mission-role-history/. But in April 2015, OPM discovered and began investigating a data breach of up to 4.2 million of its employees’ records. See https://privacyassociation.org/news/a/opm-blames-legacy-systems-in-contentious-hearing/. The information included the employees’ names, Social Security numbers, and dates of birth. Then on June 8, 2015, OPM announced that it was looking into a second breach, this one involving “background investigations of current, former, and prospective Federal government employees.” See http://www.opm.gov/news/latest-news/announcements/frequently-asked-questions/. On June 18, 2015, however, OPM officials acknowledged that this second hack occurred a full year ago. See http://thehill.com/policy/cybersecurity/245510-security-clearance-hack-stretches-back-full-year. Individuals affected by the first data breach were notified between June 8, 2015, and June 19, 2015. The investigation regarding the second breach is still ongoing, but it is now estimated that up to 14 million people will be affected by the two breaches. Id.
It is thought that Chinese hackers are responsible for both hacks in a possible attempt to compile an extensive database on government workers. Id. President Obama is considering economic sanctions against China, but at this point it is not clear that the Chinese government was behind the attacks. And it must be crystal clear that these were Chinese-government-sponsored hacks, or the U.S. will be placed in a very difficult position: China has an undeniably strong position in the global economy, and the U.S. and Chinese economies are closely intertwined. Any sanctions efforts by the U.S. would almost certainly be met with staunch opposition from China that could affect the U.S. economy. See http://www.usnews.com/news/articles/2015/06/15/obama-considers-sanctions-after-opm-breach.
It is important to investigate who is responsible for the hacks, but the House Oversight and Government Reform Committee (“Committee”) is also inquiring as to how OPM allowed the hacks to occur. The Committee conducted a hearing on June 16, 2015, regarding the OPM breaches. Many lawmakers placed the blame on the policies and systems on which OPM relied for data protection and stated that OPM’s leadership should resign. The Committee wanted to know why OPM did not abide by the 2014 recommendation of the Office of the Inspector General to shut down eleven of its computer security systems. OPM blamed legacy systems dating back to 1985 because they could not be encrypted.
It is unclear whether OPM’s leadership will resign in the face of this hacker disaster. But what is clear is that more research and investigation into what went wrong and how to prevent future attacks will continue. Our Privacy & Data Security Group will continue to monitor and report on the implications of government data breaches.