The United States Office of Personnel Management (OPM) has recently been in the news for two separate breaches that may have compromised the information of as many as 18 million former, current and prospective federal employees. Significantly, the story of these two intrusions stretches back to as early as spring of last year. The timeline below summarizes the events that are known to have been associated with these breaches thus far.March 2014Chinese hackers infiltrate the OPM’s computer systems, presumably to collect information on federal employees who had applied for top security clearance in the past. The agency informs federal, state, and local government officials that they were able to thwart the attack using intrusion detection systems (IDS) installed on its network, which leads the Obama administration to believe that no personally identifiable information was compromised by the incident. No mention of the attack is therefore made to the public.June 2014The United States Investigation Services (USIS) discloses a breach of 25,000 government employees’ personal information to the OPM and sends out a memo on June 17 notifying 15 large federal agencies of the intrusion. The Department of Homeland Security (DHS) contacts the United States Computer Emergency Readiness Team, which launches an investigation into the scope and nature of the breach. In the meantime, the OPM severs its contracts with USIS, which leads the contractor to lay off 2,500 employees by October. It has since been revealed that this incident affecting USIS likely occurred at around the same time as the OPM breach.
July 9, 2014The New York Times runs an article that reveals the OPM attack for the first time to the American public. On that same day, the agency sends an email to its employees informing them of the intrusion into its networks back in March and advising that they remain vigilant with regards to future computer threats.August 6, 2014Multiple news outlets report on the USIS June breach, with the contractor reportedly having stated that the intrusion “has all the markings of a state-sponsored attack.” By this time, the DHS has also suspended all contracts with the USIS, and the Federal Bureau of Investigations has commenced an investigation into the incident.September 2014Federal investigators detect a data breach affecting KeyPoint Government Solutions, a provider of investigative services for the U.S. government. It is believed that as many as 390,000 current and former DHS employees, contractors, and even job applicants may have had their private data compromised by the intrusion.December 2014Another separate breach is discovered at KeyPoint Government Solutions, which prompts the Office of Personnel Management to begin sending letters to more than 48,000 federal employees notifying them that their personal information may have been compromised by the incident. At the time, the OPM reports that there is no conclusive evidence any sensitive information has been exposed.It has since been revealed that KeyPoint security credentials stolen in December were likely used to infiltrate the OPM’s computer systems that same month.April 2015The OPM detects a breach of its systems that is believed to have started back in December of 2014. According to a statement released by the agency, the intrusion was detected as a result of the OPM having upgraded its security detection and monitoring tools.That same month, on April 22, U.S. government officials testify before the House Oversight and Government Reform Committee about the USIS hack that occurred last year. As part of her testimony, Donna Seymour, Chief Information Officer of the OPM, acknowledges that hackers attacked both USIS and OPM around the same time in March 2014. However, she reiterates that the OPM had been able to thwart the attack and has since “put mitigations in place to better protect the information.”June 4, 2015U.S. officials reveal the breach of the OPM’s computer systems to the public and state that the agency will begin sending out notifications to 4 million former and current federal employees warning them that their personal information might have been compromised. At the same time as this announcement, iSight Partners, a private security firm, links the intrusion to the Anthem hack that occurred earlier this year.June 12, 2015Officials close to the investigation uncover a second breach that is believed to have compromised computer systems containing information related to the background checks of former, current, and prospective federal employees, suggesting that the OPM breach is likely much larger than originally expected.June 16, 2015At a hearing before the House Oversight and Government Reform Committee, OPM Director Katherine Archuleta reveals that Social Security numbers stored by the OPM were not encrypted due to the networks being “too old.”Around that same date, some news outlets begin reporting that as many as 14 million federal employees’ personal information might have been compromised. Archuleta and other OPM officials refuse to speculate about how many additional records might have been affected by the breach. However, they do state it is possible that more than 4.2 million people’s information was compromised.
June 23, 2015FBI Director James Corney estimates that 18 million people—about four times the original estimates—were affected by the OPM breach. Those who had their information compromised might include those who applied for federal positions but who never ultimately worked for the U.S. government.Officials close to the investigation also express their disagreement with the claim that the OPM should have severed ties with KeyPoint, explaining that the intrusion likely occurred after hackers infiltrated the investigations contractor back in December.June 25, 2015U.S. Intelligence Chief James Clapper confirms that China is the chief suspect behind the OPM breach. To read what lessons security professionals can glean from the intrusion at the Office of Personnel Management, please click here.Title image courtesy of ShutterStock