Data Breach and Espionage

The OPM Hack and Data Breach

The recent Office of Personnel Management hack was a data breach and espionage on a large scale – but who orchestrated it, and how could it come to pass? Read on for more info on what might be a modern day case of spying on an international level.

What was hacked?

The Office of Personnel Management within the federal government was hacked. Specifically, two systems were breached, according to Ars Technica. One was the Electronic Official Personnel Folder. The second was the central database behind EPIC, software that collects data for government employee and contractor background investigations.

Officials say the hack likely affected 14 million people – specifically personnel data and background investigation data. The stolen data included social security numbers, names, dates, birth places, and addresses as well as detailed background security clearance related information including finances, criminal history, and past drug use.

When did this happen?

The breaches were identified over a four month period in 2014 by two OPM investigative contractors, USIS and KeyPoint Solutions.

Who was responsible?

Current evidence points to a Chinese Cyber-espionage group dubbed “Deep Panda.” According to NPR, this has not been formally announced because, while they are convinced this is the case, this is the sort of espionage that many governments do and calling China out may be problematic.

Why did they do it?

Unlike credit card data breaches that we have seen recently, this was likely espionage. The information could be used as blackmail, given the depth of data that was stolen and the potential risk to people whose information was leaked. Anyone with security clearance could potentially have had their info stolen.

SecurityHow did the info get out and why wasn’t it caught?

According to Wired.com, multiple levels of failures were involved in the data breach. The OPM had no IT security staff until 2013. Equipment lacked appropriate encryption and inventory lists of servers and databases. The agency failed to use multi-factor authentication for systems abroad and when it was used, it was not encrypted appropriately. Arstechnica also explains nearly half the major IT systems were run by contractors which OPM’s security team had limited visibility into, but even internal systems lacked the basic security measures and security testing. Ars Technica says that some of the contracted companies may even have employed Chinese nationals from overseas as subcontractors.

It is also thought that an inspector general’s report released in November 2014 might have identified some of the problems in security with the OPM, and may have tipped off the hackers.

Investigations are also focused on the government shutdown in October 2013, where workers were furloughed and those who would have monitored FEC networks were not on the job at the time. It is possible a Chinese breach that occurred at the time might have helped hackers find vulnerabilities in that system to use later.