OPM Cyberattack Creates Dangerous Exposure for 21.5 Million Current and Former Federal Employees

POSTED JULY 10, 2015

A special to USLAW NETWORK and USLAW DigiKnow

By Karen Painter Randall, Connell Foley LLP, Roseland, New Jersey

According to news reports, the recent cyberattack of the Office of Personnel Management (“OPM”) is reportedly five times bigger than originally estimated. The FBI and other investigators now believe that, as a result of the second major hack of its IT systems this year, at least 21.5 million individual records of current or former federal employees have been breached, up from the 4.2 million the OPM originally reported. Moreover, this number is expected to continue to grow to as high as 32 million.

By repeatedly changing the signature of its malware, hackers were able to bypass the government’s EINSTEIN intrusion-detection system and obtain highly sensitive information from 19.7 million security clearance applications known as SF-86 forms. These forms are made up of 127 pages of data. Larry Loeb, a columnist for Dark Reading, criticized the EINSTEIN intrusion-detection system, which he says, “failed miserably.” Loeb noted that it failed because “it relied on people to tell it what to look for” and since the hackers used previously unknown zero-day vulnerability, it was not tracked by the system. The Department of Homeland Security’s Andy Ozment testified at a recent hearing that the agency is currently developing a third phase of EINSTEIN 3A, which is smarter and more nimble than EINSTEIN 1 and 2.

The sensitivity of the data stolen is hard to quantify. The SF-86 forms contain sensitive data of a person’s family, friends, spouses, employers, and past acquaintances. The latest incident with OPM gave the hackers access to a trove of personal information, including birthdates, Social Security numbers, previous addresses and security clearances. One official said the stolen information would enable a foreign intelligence service to chart out relationships among U.S. government employees, and build pictures of individuals and their families, potentially enabling them to figure out ways to target or blackmail people for espionage purposes. FBI Director James Comey recently discussed the sensitive nature of this second breach. “If you have my SF-86, you know every place I’ve lived since I was 18, contact people at those addresses, neighbors at those addresses, all of my family, every place I’ve traveled outside the United States since I was 18.”  He went on to state that “if I had substantial contact with any non-United States person, it’s on there, along with the contact information of that person. Just imagine you were a foreign intelligence service and you had that data, how it might be useful to you. So it’s a big deal.”  John Boehner was recently quoted as saying, “Americans who serve our country need to be able to trust that the government can keep their personal information safe and secure.”

Following the massive government data breach, pressure was put on President Obama to remove OPM Director Katherine Archuleta from office. Rep. John Carter (R-TX) pointed out that, since 2008, the OPM has spent $577 million on IT but was still using COBOL programming developed in 1959. “Yes,” Archuleta admitted, “We are working with a legacy system developed in 1959.” On July 10, 2015, Katherine Archuleta, director of the federal Office of Personnel Management, submitted her resignation in person to President Barack Obama. “If there is anyone to blame, it’s the perpetrators,” she told senators during a hearing on June 23, 2015.

Since the breach occurred a year ago, the hackers had ample time to probe the network and collect highly sensitive data that may have a direct impact on the safety of federal employees, their family and international diplomacy. Although the government is reluctant to make public statements about a suspect, official sources are consistently providing anonymous reports that the Chinese government, not criminal hackers, is thought to be behind the hack. Additionally, it is believed to be the same group that hacked the health insurance company, Anthem, as they used a rare type of malware called Sakula, which was also used in the Anthem breach.

The tensions from the OPM cyberattack are reaching diplomatic levels, as the U.S. recently held its annual security talks with China. One U.S. official said the federal government would directly raise the theft of personnel data with Chinese officials during these talks. However, China has denied involvement with the OPM hacks.

President Barack Obama has vowed that the U.S. will aggressively bolster its cyber defenses. He further stated that the U.S. has old computer systems with “significant vulnerabilities” and needs to be “much more aggressive” in stepping up defenses. Thus, the President has urged the U.S. Congress to move forward on passing cybersecurity legislation. He further expressed his opinion at a recent news conference at the Group of Seven (G7) summit in Germany, “We have to be as nimble, as aggressive and as well-resourced as those who are trying to break into these systems.”

Clearly, what makes this cyberattack different than others is the nature of the security information that was disclosed. In particular, the stolen data includes highly sensitive personal information contained in security clearance applications of former and current U.S. government employees. Although there is no evidence to date that the information has been used, the wrongful use of the data could have an impact on national security and result in financial and physical harm to the affected federal employees and families. Furthermore, relationships with Chinese diplomats could be at risk since they are no longer confidential.

Designed & Developed by Peak Seven