Skip to content ↓ | Skip to navigation ↓

Updated: July 10, 2015 – 9:00 AM PST

The United States Office of Personnel Management (OPM) has recently been in the news for two separate breaches that may have compromised the information of as many as 18 million former, current and prospective federal employees. Significantly, the story of these two intrusions stretches back to as early as spring of last year. The timeline below summarizes the events that are known to have been associated with these breaches thus far.

March 2014

Chinese hackers infiltrate the OPM’s computer systems, presumably to collect information on federal employees who had applied for top security clearance in the past. The agency informs federal, state, and local government officials that they were able to thwart the attack using intrusion detection systems (IDS) installed on its network, which leads the Obama administration to believe that no personally identifiable information was compromised by the incident. No mention of the attack is therefore made to the public.

June 2014

The United States Investigation Services (USIS) discloses a breach of 25,000 government employees’ personal information to the OPM and sends out a memo on June 17 notifying 15 large federal agencies of the intrusion. The Department of Homeland Security (DHS) contacts the United States Computer Emergency Readiness Team, which launches an investigation into the scope and nature of the breach. In the meantime, the OPM severs its contracts with USIS, which leads the contractor to lay off 2,500 employees by October. It has since been revealed that this incident affecting USIS likely occurred at around the same time as the OPM breach.

opm logoJuly 9, 2014

The New York Times runs an article that reveals the OPM attack for the first time to the American public. On that same day, the agency sends an email to its employees informing them of the intrusion into its networks back in March and advising that they remain vigilant with regards to future computer threats.

August 6, 2014

Multiple news outlets report on the USIS June breach, with the contractor reportedly having stated that the intrusion “has all the markings of a state-sponsored attack.” By this time, the DHS has also suspended all contracts with the USIS, and the Federal Bureau of Investigations has commenced an investigation into the incident.

September 2014

Federal investigators detect a data breach affecting KeyPoint Government Solutions, a provider of investigative services for the U.S. government. It is believed that as many as 390,000 current and former DHS employees, contractors, and even job applicants may have had their private data compromised by the intrusion.

December 2014

Another separate breach is discovered at KeyPoint Government Solutions, which prompts the Office of Personnel Management to begin sending letters to more than 48,000 federal employees notifying them that their personal information may have been compromised by the incident. At the time, the OPM reports that there is no conclusive evidence any sensitive information has been exposed.

It has since been revealed that KeyPoint security credentials stolen in December were likely used to infiltrate the OPM’s computer systems that same month.

April 2015

The OPM detects a breach of its systems that is believed to have started back in December of 2014. According to a statement released by the agency, the intrusion was detected as a result of the OPM having upgraded its security detection and monitoring tools.

That same month, on April 22, U.S. government officials testify before the House Oversight and Government Reform Committee about the USIS hack that occurred last year. As part of her testimony, Donna Seymour, Chief Information Officer of the OPM, acknowledges that hackers attacked both USIS and OPM around the same time in March 2014. However, she reiterates that the OPM had been able to thwart the attack and has since “put mitigations in place to better protect the information.”

June 4, 2015

U.S. officials reveal the breach of the OPM’s computer systems to the public and state that the agency will begin sending out notifications to 4 million former and current federal employees warning them that their personal information might have been compromised. At the same time as this announcement, iSight Partners, a private security firm, links the intrusion to the Anthem hack that occurred earlier this year.

June 12, 2015

Officials close to the investigation uncover a second breach that is believed to have compromised computer systems containing information related to the background checks of former, current, and prospective federal employees, suggesting that the OPM breach is likely much larger than originally expected.

June 16, 2015

At a hearing before the House Oversight and Government Reform Committee, OPM Director Katherine Archuleta reveals that Social Security numbers stored by the OPM were not encrypted due to the networks being “too old.”

Around that same date, some news outlets begin reporting that as many as 14 million federal employees’ personal information might have been compromised. Archuleta and other OPM officials refuse to speculate about how many additional records might have been affected by the breach. However, they do state it is possible that more than 4.2 million people’s information was compromised.

opm breach news

June 23, 2015

FBI Director James Corney estimates that 18 million people—about four times the original estimates—were affected by the OPM breach. Those who had their information compromised might include those who applied for federal positions but who never ultimately worked for the U.S. government.

Officials close to the investigation also express their disagreement with the claim that the OPM should have severed ties with KeyPoint, explaining that the intrusion likely occurred after hackers infiltrated the investigations contractor back in December.

June 25, 2015

U.S. Intelligence Chief James Clapper confirms that China is the chief suspect behind the OPM breach.

June 30, 2015

The OPM temporarily disables a web-based platform used to complete background investigations following the discovery of a security vulnerability. At around the same time, it is announced that the American Federation of Government Employees union has filed a class-action lawsuit against the OPM, alleging that the director and other leadership of the Office of Personnel Management knew about certain security issues that led to the two breaches and that they chose to ignore federal directives urging the agency to fix them.

July 9, 2015

The OPM concludes its investigation of the breach it discovered in June of 2015 that affected its background check systems and reveals that 19.7 million individuals (as well as 1.8 million non-applicants, including spouses and partners) were affected by the incident. This is in addition to the 4.2 million people whose information was compromised in the personnel data breach that was discovered back in April of the same year.

 

To read what lessons security professionals can glean from the intrusion at the Office of Personnel Management, please click here.

Title image courtesy of ShutterStock

Tripwire CCM Express Free Trial
  • Kernighan

    It does not make technical sense to say:
    <quote>Social Security numbers stored by the OPM were not encrypted due to the networks being “too old.”</quote>

    Encryption technology has been around for decades. The "networks" are the electronic devices, hardware, wiring, routers, switches and repeaters, and related protocols which allow digital information and equipment to communicate. What "network" would be so old that it could not possibly act as a medium for encrypted data? The answer is NONE.

    I have personal experience with a very large entity establishing encrypted formats for SS numbers. The DATABASE is where this focuses. A portion of the schema is established where encrypted information is stored for those instances where the data is considered "high risk" like with SS numbers, or records of other sensitive personal information.

    What database managment system (DBMS) is OPM using? It would have to be tremendously old to have utterly no ability to interact with encryption in a SECTION of its schema. This sounds like statements made by very non-technical persons.