After it was revealed in June that two large-scale hacks at the Office of Personnel Management resulted in the theft of millions of employee personnel files and sensitive security-clearance information, members of Congress called a series of committee hearings to get to the bottom of the events that led to the hacks.
Those hearings landed recently resigned OPM Director Katherine Archuleta in the hot seat, where she was grilled for her handling of the agency’s data security and IT practices in the leadup to the breaches. In one heated exchange last month, Sen. John McCain struck out at Archuleta for withholding information about the breaches, and for not herself meeting with the FBI after the hack occurred. Just one day before, House Oversight Committee Chairman Jason Chaffetz accused Archuleta of lying outright about an OPM data breach early last year.
But lawmakers also spent a considerable amount of time at these hearings trying to clear up basic details about the hacks. Archuleta and her colleagues at the Department of Homeland Security were repeatedly asked about the number, scale, and timelines of data breaches that affected OPM and two contractors that provided background-check services for the personnel agency.
The timelines below are based on official OPM numbers, testimony from Archuleta and Andy Ozment, assistant secretary for cybersecurity and communications at DHS, and are supplemented by information from news reports.
USIS Security Breach
USIS was the largest contractor tasked with providing background-investigation services for OPM when its database was hacked. That hack, which likely came from China, resulted in the loss of more than 25,000 records belonging to DHS employees, and it led OPM to terminate its contracts with USIS. The contractor later went bankrupt.
First OPM Security Breach
Officials say that the first hack that targeted OPM itself didn’t result in the loss of employee records, but the attackers — likely China again — did make off with some documents about OPM servers.
Chaffetz called these documents “blueprints, essentially the keys to the kingdom,” but OPM and DHS officials pushed back on the “blueprint” characterization. Donna Seymour, the OPM’s chief information officer, said they were “outdated security documents about our systems and some manuals about our systems,” and Ann Barron-DiCamillo, a top DHS cybersecurity official, said they did not include “proprietary information or specific information around the architecture of the OPM environment.”
First KeyPoint Security Breach
After OPM’s contracts with USIS for background checks were terminated, they were shifted to KeyPoint, another large government contractor. But it wasn’t long before KeyPoint discovered that it, too, had been hacked. Nearly 50,000 DHS workers were notified that their personal information may have been exposed, but Barron-DiCamillo said her agency couldn’t confirm that any data was actually stolen.
After the breach, KeyPoint revamped its security systems, and OPM decided to continue its relationship with the contractor.
Second KeyPoint Security Breach
In June, it was revealed that another, separate data breach was discovered at KeyPoint at roughly the same time as the breach made public last year. Less is known about this hack, including when the breach began, but reports indicate that as many as 390,000 records may have been compromised.
Further, one of the two KeyPoint breaches appears to have led directly to the hack at OPM that began in October. Archuleta confirmed to lawmakers that the stolen security credentials of a KeyPoint employee were used to get into OPM’s servers in October, resulting in the theft of 4.2 million employee records.
Second OPM Security Breach
OPM announced Thursday that 21.5 million individuals had their Social Security information compromised in this breach, a scope which exceeded even the most extreme reports before it was revealed.
Of the 21.5 million individuals affected, 19.7 million are current, former, or prospective federal employees or contractors. The remaining 1.8 million records belong to other individuals — mostly family members.
Since this attack breached a server used to store background check information, the stolen data included sensitive information like addresses, employment history, financial and mental health information, and usernames and passwords. 1.1 million fingerprint files were also stolen.
Officials have privately linked this attack to China.
OPM said it will notify the affected individuals and offer them with at least three years of free credit-check identity fraud-protection services, but it has not yet found a contractor to provide those services.
Third OPM Security Breach
The information stolen in this breach belongs to OPM, but it is held offsite, on a server at the Department of the Interior. The hackers used a KeyPoint employee’s credential, gleaned from an earlier breach, to gain access to the data, which did not include any security clearance information.
Although the White House has not officially attributed this breach to a foreign country or criminal group, it has all but acknowledged that Chinese hackers were behind the theft of 4.2 million employee personnel records.
CSID, a company that provides identity-theft protection services, has notified every affected federal employee. The company says that 500,000 people have signed up for an 18-month protection plan, offered free of charge by OPM, which paid about $20 million to cover affected individuals.