Serious Data Breach at OPM

The U.S. Office of Personnel Management (OPM) is an independent agency of the U.S. government that assists other federal agencies in hiring new employees, conducting background check investigations, and managing pension benefits for retired federal employees and their families. The agency maintains data on millions of federal government employees, retirees, contractors, and prospective employees. These data were recently compromised in two sepa- rate but related data breaches at the OPM, raising concerns not only about potential identity theft and blackmail but also about the possible use of that data in intelligence operations launched against the United States.

Early in 2015, OPM discovered that the personnel data (full name, birth date, home address, and Social Security numbers) of 4.2 million current and former federal government employees had been stolen. Then, in June 2015, OPM announced that the background investi- gation records of 21.5 million current, former, and prospective federal employees and contrac- tors had been stolen as the result of a second data breach.

During a hearing in front of the House Oversight and Reform Committee shortly after the second breach was announced, OPMs Chief Information Officer Donna Seymour acknowl- edged that the information compromised in the data breach included SF-86 data as well as clearance adjudication information. Current and prospective federal employees and service members who require a security clearance must complete the SF-86, a 127-page questionnaire, which asks for information about family members, friends, employment history, foreign travel, interactions with foreign nationals, details on alcohol and drug use, mental illness, credit ratings, bankruptcies, arrest records, and court actions. The document also includes information from record checks with local law enforcement where the individual lived, worked, or went to school during the previous 10 years.

Adjudication information includes additional personal information that is gathered for all persons being considered for initial or continued eligibility for access to classified information. The information is obtained through personal interviews not only with the applicant but also with educators, employers, neighbors, references, roommates, significant others, and spouses of the applicant. Adjudication information can include revelations about past sexual behavior, personal debt, specific reasons for a divorce, and information about a history of addictions, among other details. The adjudication data that were breached at the OPM also included actual fingerprint data for more than 5.6 million people.

While the personally identifiable information exposed in the intrusion creates a risk of identity theft, security experts are more concerned that a nation or even a criminal organization could use the information to run intelligence operations against the United States on a massive and unprecedented scale. Some of the issues of particular concern to security experts include the following:

Because the Central Intelligence Agency (CIA) conducts its own background checks on potential employees, and did not manage the process through the OPM, any State Department employees whose data were not stolen in the OPM data breach could be identified as likely agents of the CIA.

The perpetrators of the data breach could have tampered with the data and granted security clearances to people who not only didnt actually warrant them, but who might have been recruited in advance to work for the attackers.

The sensitive personnel information data gathered could be used to neutralize U.S. agents and officials by exploiting their personal weaknesses and/or targeting their relatives abroad.

After the breaches were announced, the U.S. Department of Defense and OPM awarded a $133 million contract to Identity Theft Guard Solutions LLC to provide 10 years of credit monitoring and identity theft protection for the 21.5 million individuals whose personal information was stolen. However, when information about spouses, children, significant others, and people who are listed as references on the security clearance records is factored in, the number of people whose personally identifiable information was compromised is likely in the range of 78 million to 276 million people. Not all these additional people were offered identity theft protection.

In June 2015, the American Federation of Government Employees (AFGE), the countrys largest government employee union, filed a class action lawsuit in U.S. district court against the agency, OPM Director Katherine Archuleta, OPM Chief Information Officer Donna Seymour, and KeyPoint Government Solutions, the contractor hired by OPM to conduct the background investigations. The American Federation of Government Employees says OPM and the contractor violated the Privacy Act by neglecting to secure employees personal data (even after repeated warnings about its data security practices), which resulted in financial and emotional harm for those employees.

While claims alleging OPMs failure to protect workers data could hold up in court, proving damages have actually been suffered will likely be more difficult. The precedent used by courts deciding on issues related to fear of prospective losses (which is the basis of the AFGE law- suit) has been a 2013 decision, Clapper v. Amnesty International USA. In that case, journalists and human rights advocates unsuccessfully sued for damages related to the cost and inconvenience of protecting themselves against the possibility of warrantless digital surveillance authorized by the Foreign Intelligence Surveillance Act of 1978 Amendments Act of 2008. They claimed that they engage in sensitive international communications with individuals who they believe are likely targets of surveillance authorized under 1881a of the Amendments Act. The Supreme Court ruled that they could not show that they suffered injury that was particularized, and actual or imminent, fairly traceable to the challenged action, and addressable by a favorable ruling.83 As a result, the plaintiffs lacked standing and the lawsuit was thrown out of court.

The claims of the plaintiff in the AFGE lawsuit are likely to be bolstered in part by finding in a report from the U.S. House of Representatives Committee on Oversight and Government Reform, which indicates that OPM did not follow rudimentary cybersecurity recommendations that could have mitigated or even prevented the attacks. According to the report, the OPM data breaches were made worse by the agencys careless security culture and ineffective leadership, which failed to employ readily available tools that could have stopped or mitigated the intrusions. The report also pointed out that the OPM had failed to act on repeated inspector general reports as far back as 2005 that warned of cybersecurity shortcomings.

OPM director Katherine Archuleta resigned a month after the breaches were announced in response to pressure from House Oversight and Government Reform Committee Chairman Jason Chaffetz. In February 2016, Donna Seymour, CIO for the Office of Personnel Management, announced her retirement. Pressure had been mounting on Seymour for her to step down, and her resignation came just two days before she was scheduled to testify again before the House committee.

OPM has claimed that it achieved significant progress in improving cybersecurity on its systems following the data breaches. The agency has implemented multifactor authentication, modernized its information technology infrastructure, appointed a new senior cybersecurity adviser, and formed a new organization responsible for background checks on employees and contractors. That new entity, the National Background Investigations Bureau (NBIB), which became operational in October 2016, runs on information systems that are managed by the Pentagon.

Critical Thinking Questions:

How might foreign powers and/or terrorists use the stolen data to mount intelligence operations against the United States?

Go online to do research on the steps OPM has taken to improve its cybersecurity? Are you satisfied with these actions? If not, what additional changes would you suggest?