{
	"id": "582b9ea0-1aa6-49ad-acd2-769e1d32d1dd",
	"created_at": "2026-04-06T00:07:28.21475Z",
	"updated_at": "2026-04-10T13:12:26.216789Z",
	"deleted_at": null,
	"sha1_hash": "d7a3f88ed03baacbe97327c7e77c59d6c602c24b",
	"title": "Catching Up on the OPM Breach",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 546847,
	"plain_text": "Catching Up on the OPM Breach\r\nPublished: 2015-06-16 · Archived: 2026-04-05 13:43:10 UTC\r\nI heard from many readers last week who were curious why I had not weighed in on the massive (and apparently\r\nstill unfolding) data breach at the U.S. Office of Personnel Management (OPM). Turns out, the easiest way for a\r\nreporter to make sure everything hits the fan from a cybersecurity perspective is to take a two week vacation to the\r\nother end of the world. What follows is a timeline that helped me get my head on straight about the events that\r\npreceded this breach, followed by some analysis and links to other perspectives on the matter.\r\nOPM offices in Washington, DC. Image: Flickr.\r\nJuly 2014: OPM investigates a breach of its computer networks dating back to March 2014. Authorities trace the\r\nintrusion to China. OPM offers employees free credit monitoring and assures employees that no personal data\r\nappears to have been stolen.\r\nAug. 2014: It emerges that USIS, a background check provider for the U.S. Department of Homeland Security,\r\nwas hacked. USIS offers 27,000 DHS employees credit monitoring through AllClearID (full disclosure: AllClear\r\nis an advertiser on this blog). Investigators say Chinese are hackers responsible, and that the attackers broke in\r\nby exploiting a vulnerability in an enterprise management software product from SAP. OPM soon suspends work\r\nwith USIS.\r\nNovember 2014: A report (PDF) by OPM’s Office of the Inspector General on the agency’s compliance with\r\nFederal Information Security Management Act finds “significant” deficiencies in the department’s IT security. The\r\nreport found OPM did not maintain a comprehensive inventory of servers, databases and network devices, nor\r\nwere auditors able to tell if OPM even had a vulnerability scanning program. The audit also found that multi-factor authentication (the use of a token such as a smart card, along with an access code) was not required to\r\naccess OPM systems. “We believe that the volume and sensitivity of OPM systems that are operating without an\r\nactive Authorization represents a material weakness in the internal control structure of the agency’s IT security\r\nprogram,” the report concluded.\r\nhttps://krebsonsecurity.com/2015/06/catching-up-on-the-opm-breach/\r\nPage 1 of 4\n\nDec. 2014: KeyPoint, a company that took over background checks for USIS, suffers breach. OPM states that\r\nthere is “no conclusive evidence to confirm sensitive information was removed from the system.” OPM vows to\r\nnotify 48,439 federal workers that their information may have been exposed in the attack.\r\nFeb. 2015: Health insurance giant Anthem discloses breach impacting nearly 80 million customers. Experts later\r\ntrace domains, IP addresses implicated in attack to Chinese hackers. Anthem offers two years of free credit\r\nmonitoring services through AllClearID.\r\nMay 2015: Premera Blue Cross, one of the insurance carriers that participates in the Federal Employees Health\r\nBenefits Program, discloses a breach affecting 11 million customers. Federal auditors at OPM warned Premera\r\nthree weeks prior to the breach that its network security procedures were inadequate. Unlike the Anthem breach,\r\nthe incident at Premera exposes clinical medical information in addition to personally identifiable information.\r\nPremera offers two years of free credit monitoring through Experian.\r\nMay 2015: Carefirst Blue Cross discloses breach impacting 1.1 million customers. Clues unearthed by researchers\r\npoint to the same attack infrastructure and methods used in the Anthem and Premera breach. Carefirst offers two\r\nyears free credit monitoring through Experian.\r\nJune 2015: OPM discloses breach affecting up to 4 million federal employees, offers 18 months of free credit\r\nmonitoring through CSID. Follow-up reports indicate that the breach may extend well beyond federal employees\r\nto individuals who applied for security clearances with the federal government.\r\nANALYSIS\r\nAs the OPM’s Inspector General report put it, “attacks like the ones on Anthem and Premera [and OPM] are likely\r\nto increase. In these cases, the risk to Federal employees and their families will probably linger long after the free\r\ncredit monitoring offered by these companies expires.”\r\nThat would appear to be the understatement of the year. The OPM runs a little program called e-QIP, which\r\nprocesses applications for security clearances for federal agencies, including top secret and above. This bit, from a\r\nJuly 10, 2014 story in The Washington Post, puts the depth and breadth of this breach in better perspective:\r\n“In those files are huge treasure troves of personal data, including “applicants’ financial histories and\r\ninvestment records, children’s and relatives’ names, foreign trips taken and contacts with foreign\r\nnationals, past residences, and names of neighbors and close friends such as college roommates and co-workers. Employees log in using their Social Security numbers.”\r\nThat quote aptly explains why a nation like China might wish to hoover up data from the OPM and a network of\r\nhealthcare providers that serve federal employees: If you were a state and wished to recruit foreign spies or\r\nuncover traitors within your own ranks, what sort of goldmine might this data be? Imagine having access to files\r\nthat include interviews with a target’s friends and acquaintances over the years, some of whom could well have\r\nshared useful information about that person’s character flaws, weaknesses and proclivities.\r\nFor its part, China has steadfastly denied involvement. Politico cites a news story from the Chinese news service\r\nXinhua which dismissed the U.S. allegations as “obviously another case of Washington’s habitual slander against\r\nBeijing on cybersecurity.”\r\nhttps://krebsonsecurity.com/2015/06/catching-up-on-the-opm-breach/\r\nPage 2 of 4\n\n“It also pointed to the information disclosed by former NSA subcontractor Edward Snowden, saying the U.S. itself\r\nis guilty of ‘large-scale, organized cyber theft, wiretapping and supervision of political figures, enterprises and\r\nindividuals of other countries, including China’,” Politico‘s David Perera writes.\r\nThere are some who would say it is wrong or at least foolhardy to dwell on forensic data and other\r\nclues suggesting that hackers closely allied with the Chinese government were involved in these attacks. Indeed,\r\nthere is a contingent of experts who argue that placing so much emphasis on attribution in these sorts of attacks is\r\na diversion that distracts attention and resources from what really matters: learning from one’s mistakes and\r\nfocusing on better securing and maintaining our critical systems.\r\nAs part of my visit to Australia (and then to gorgeous New Zealand) these past few weeks, I was invited to speak\r\nat two separate security conferences. At one of them, my talk was preceded by a speech from Mike Burgess, chief\r\ninformation security officer at Telstra, Australia’s largest telecom provider. Burgess knows a few things about\r\nattribution: He is an 18-year veteran of the Australian Signals Directorate (formerly the Defence Signals\r\nDirectorate and the Australian equivalent of the U.S. National Security Agency).\r\nIn his speech, Burgess railed against media reports about high-profile cyber attacks that created an atmosphere of\r\nwhat he called “attribution distraction” and “threat distraction.” A reporter with ZDNet captured Burgess’s\r\nthoughts with this quote:\r\n“Don’t get me wrong….I’m not saying that attribution isn’t important. I’m not saying that issues of\r\nsource, great technical intelligence, and other forms of intelligence to understand the threat and the\r\nintentions of those looking to steal information from you, or disrupt your organisation for some purpose\r\nthat may be unknown to you, [are not important].”\r\n“But what I observe, what I fear, what I see too much of, is many commentators, many in the industry,\r\nand many in media, focus on attribution, with very little focus on the root cause. No-one should lose\r\nvaluable information where at the root cause there is a known remedy. For me, that is unforgivable in\r\nthis day and age. And I’ve got to tell you — my view at least — too much of this distraction around\r\nattribution takes away from focusing on what’s really important here.”\r\nThere is, no doubt, a great deal of wisdom in Mr. Burgess’s words. After all, OPM clearly could have been doing\r\nmuch more to beef up security around its very sensitive stores of data. But perhaps Burgess was onto something\r\nfor a different reason: At least as it relates to the United States’ tenuous relations with China, having strong\r\nindicators of attribution in an attack of this magnitude puts the White House rather publicly between a rock and a\r\nhard place.\r\nAs The New York Times writes, the Obama administration now finds itself under pressure to respond in some way,\r\nand is reportedly considering financial sanctions against China. But as The National Journal wryly observes, this\r\nis a bit of an awkward position for a government that hardly holds the moral high ground when it comes to spying\r\non and hoovering up data from foreign governments.\r\n“That’s partially because in the two years since Edward Snowden’s leaks about U.S. surveillance, the Obama\r\nadministration has repeatedly argued that hacking into computer networks to spy on foreigners is completely\r\nhttps://krebsonsecurity.com/2015/06/catching-up-on-the-opm-breach/\r\nPage 3 of 4\n\nacceptable behavior,” writes Brendan Sasso. “It won’t be so easy for the U.S. to express indignant outrage just\r\nbecause it’s on the opposite side of the surveillance this time.”\r\nIf you’re affected by these breaches and wondering what you can do to protect yourself besides signing up for\r\ncredit monitoring services, please see this story.\r\nSource: https://krebsonsecurity.com/2015/06/catching-up-on-the-opm-breach/\r\nhttps://krebsonsecurity.com/2015/06/catching-up-on-the-opm-breach/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://krebsonsecurity.com/2015/06/catching-up-on-the-opm-breach/"
	],
	"report_names": [
		"catching-up-on-the-opm-breach"
	],
	"threat_actors": [],
	"ts_created_at": 1775434048,
	"ts_updated_at": 1775826746,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d7a3f88ed03baacbe97327c7e77c59d6c602c24b.pdf",
		"text": "https://archive.orkl.eu/d7a3f88ed03baacbe97327c7e77c59d6c602c24b.txt",
		"img": "https://archive.orkl.eu/d7a3f88ed03baacbe97327c7e77c59d6c602c24b.jpg"
	}
}