A Timeline of Government Data Breaches

Since April 2013, six hacks targeted OPM and its contractors, resulting in the theft of millions of federal workers’ personal data.

Add to Briefcase
Stephanie Stamm and Kaveh Waddell
July 6, 2015, 6:15 a.m.

After it was re­vealed in June that two large-scale hacks at the Of­fice of Per­son­nel Man­age­ment res­ul­ted in the theft of mil­lions of em­ploy­ee per­son­nel files and sens­it­ive se­cur­ity-clear­ance in­form­a­tion, mem­bers of Con­gress called a series of com­mit­tee hear­ings to get to the bot­tom of the events that led to the hacks.

Those hear­ings landed re­cently resigned OPM Dir­ect­or Kath­er­ine Archu­leta in the hot seat, where she was grilled for her hand­ling of the agency’s data se­cur­ity and IT prac­tices in the leadup to the breaches. In one heated ex­change last month, Sen. John Mc­Cain struck out at Archu­leta for with­hold­ing in­form­a­tion about the breaches, and for not her­self meet­ing with the FBI after the hack oc­curred. Just one day be­fore, House Over­sight Com­mit­tee Chair­man Jason Chaf­fetz ac­cused Archu­leta of ly­ing out­right about an OPM data breach early last year.

But law­makers also spent a con­sid­er­able amount of time at these hear­ings try­ing to clear up ba­sic de­tails about the hacks. Archu­leta and her col­leagues at the De­part­ment of Home­land Se­cur­ity were re­peatedly asked about the num­ber, scale, and timelines of data breaches that af­fected OPM and two con­tract­ors that provided back­ground-check ser­vices for the per­son­nel agency.

The timelines be­low are based on of­fi­cial OPM num­bers, testi­mony from Archu­leta and Andy Oz­ment, as­sist­ant sec­ret­ary for cy­ber­se­cur­ity and com­mu­nic­a­tions at DHS, and are sup­ple­men­ted by in­form­a­tion from news re­ports.

USIS Security Breach

US­IS was the largest con­tract­or tasked with provid­ing back­ground-in­vest­ig­a­tion ser­vices for OPM when its data­base was hacked. That hack, which likely came from China, res­ul­ted in the loss of more than 25,000 re­cords be­long­ing to DHS em­ploy­ees, and it led OPM to ter­min­ate its con­tracts with US­IS. The con­tract­or later went bank­rupt.

First OPM Security Breach

Of­fi­cials say that the first hack that tar­geted OPM it­self didn’t res­ult in the loss of em­ploy­ee re­cords, but the at­tack­ers — likely China again — did make off with some doc­u­ments about OPM serv­ers.

Chaf­fetz called these doc­u­ments “blue­prints, es­sen­tially the keys to the king­dom,” but OPM and DHS of­fi­cials pushed back on the “blue­print” char­ac­ter­iz­a­tion. Donna Sey­mour, the OPM’s chief in­form­a­tion of­ficer, said they were “out­dated se­cur­ity doc­u­ments about our sys­tems and some manu­als about our sys­tems,” and Ann Bar­ron-DiC­a­millo, a top DHS cy­ber­se­cur­ity of­fi­cial, said they did not in­clude “pro­pri­et­ary in­form­a­tion or spe­cif­ic in­form­a­tion around the ar­chi­tec­ture of the OPM en­vir­on­ment.”

First KeyPoint Security Breach

After OPM’s con­tracts with US­IS for back­ground checks were ter­min­ated, they were shif­ted to Key­Po­int, an­oth­er large gov­ern­ment con­tract­or. But it wasn’t long be­fore Key­Po­int dis­covered that it, too, had been hacked. Nearly 50,000 DHS work­ers were no­ti­fied that their per­son­al in­form­a­tion may have been ex­posed, but Bar­ron-DiC­a­millo said her agency couldn’t con­firm that any data was ac­tu­ally stolen.

After the breach, Key­Po­int re­vamped its se­cur­ity sys­tems, and OPM de­cided to con­tin­ue its re­la­tion­ship with the con­tract­or.

Second KeyPoint Security Breach

In June, it was re­vealed that an­oth­er, sep­ar­ate data breach was dis­covered at Key­Po­int at roughly the same time as the breach made pub­lic last year. Less is known about this hack, in­clud­ing when the breach began, but re­ports in­dic­ate that as many as 390,000 re­cords may have been com­prom­ised.

Fur­ther, one of the two Key­Po­int breaches ap­pears to have led dir­ectly to the hack at OPM that began in Oc­to­ber. Archu­leta con­firmed to law­makers that the stolen se­cur­ity cre­den­tials of a Key­Po­int em­ploy­ee were used to get in­to OPM’s serv­ers in Oc­to­ber, res­ult­ing in the theft of 4.2 mil­lion em­ploy­ee re­cords.

Second OPM Security Breach

OPM an­nounced Thursday that 21.5 mil­lion in­di­vidu­als had their So­cial Se­cur­ity in­form­a­tion com­prom­ised in this breach, a scope which ex­ceeded even the most ex­treme re­ports be­fore it was re­vealed.

Of the 21.5 mil­lion in­di­vidu­als af­fected, 19.7 mil­lion are cur­rent, former, or pro­spect­ive fed­er­al em­ploy­ees or con­tract­ors. The re­main­ing 1.8 mil­lion re­cords be­long to oth­er in­di­vidu­als — mostly fam­ily mem­bers.

Since this at­tack breached a serv­er used to store back­ground check in­form­a­tion, the stolen data in­cluded sens­it­ive in­form­a­tion like ad­dresses, em­ploy­ment his­tory, fin­an­cial and men­tal health in­form­a­tion, and user­names and pass­words. 1.1 mil­lion fin­ger­print files were also stolen.

Of­fi­cials have privately linked this at­tack to China.

OPM said it will no­ti­fy the af­fected in­di­vidu­als and of­fer them with at least three years of free cred­it-check iden­tity fraud-pro­tec­tion ser­vices, but it has not yet found a con­tract­or to provide those ser­vices.

Third OPM Security Breach

The in­form­a­tion stolen in this breach be­longs to OPM, but it is held off­s­ite, on a serv­er at the De­part­ment of the In­teri­or. The hack­ers used a Key­Po­int em­ploy­ee’s cre­den­tial, gleaned from an earli­er breach, to gain ac­cess to the data, which did not in­clude any se­cur­ity clear­ance in­form­a­tion.

Al­though the White House has not of­fi­cially at­trib­uted this breach to a for­eign coun­try or crim­in­al group, it has all but ac­know­ledged that Chinese hack­ers were be­hind the theft of 4.2 mil­lion em­ploy­ee per­son­nel re­cords.

CSID, a com­pany that provides iden­tity-theft pro­tec­tion ser­vices, has no­ti­fied every af­fected fed­er­al em­ploy­ee. The com­pany says that 500,000 people have signed up for an 18-month pro­tec­tion plan, offered free of charge by OPM, which paid about $20 mil­lion to cov­er af­fected in­di­vidu­als.


Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.