Governance & Risk Management , Incident & Breach Response , Managed Detection & Response (MDR)

OPM Breach Victims: Tens of Millions?

FBI Director Sees Scale of Breach Expanding
OPM Breach Victims: Tens of Millions?

The number of data breach victims stemming from the hack attack against the Office of Personnel Management may number in the tens of millions.

See Also: Cyber Insurance Assessment Readiness Checklist

FBI Director James Comey has told U.S. senators in recent weeks, in closed-door briefings, that the tally of data breach victims might number 18 million people, CNN reports. That estimate is reportedly based on the results of the FBI's investigation into the OPM breach, which has found that information pertaining to not just current and former federal employees - but also prospective ones - was exposed.

But according to another report, that 18 million tally only applies to a single breached database. As investigators continue to investigate the year-long intrusion into OPM systems - which pull data from a number of other federal agencies' systems - they now believe that the number of victims may reach into the tens of millions, ABC News reports.

Exclusive Webinar: OPM Breach Aftermath: How Your Agency Can Improve on Breach Prevention Programs

One reason why the breach victim tally could continue to grow is because the exposed information included SF-86 background check questionnaires, which contain personally identifiable information not just for the person being investigated, but also their family members and acquaintances, CNN reports.

Since publicly revealing the OPM data breach on June 4, the White House has only confirmed that a hack attack may have compromised names and PII for 4.2 million current and former federal employees. But last week, officials - speaking on condition of anonymity - first began warning that the breach tally could hit 9 million to 14 million, and include information on employees stretching back to the 1980s (see Millions More Affected by OPM Breach).

"Obviously they started at 4 million," House Homeland Security Chairman Michael McCaul, R-Texas, told reporters as he exited a June 16 OPM breach briefing with Obama administration officials. "That number is increasing."

Problem: Interconnected Legacy Systems

Calculating an accurate breach tally to date has been complicated by OPM systems pulling data from a number of other agencies' systems, many of which are legacy systems, OPM CIO Donna Seymour said in a June 16 House Committee on Oversight and Government Reform committee hearing (see Lawmakers Lambaste OPM Chief Over Hack).

At that hearing, Rep. Elijah Cummings, D-Md., questioned whether hackers might have accessed OPM's systems using data stolen from the 2014 hack of KeyPoint Government Solutions or the 2013 hack of U.S. Investigations Services. Both of those firms have conducted background investigations for OPM. But no representative from either company was present at that hearing.

Neither KeyPoint nor USIS responded to Information Security Media Group's request for comment. But Cummings has called on them to appear before his committee. "I now feel more strongly than ever that the Oversight Committee must hear directly from OPM's two contractors - KeyPoint and USIS - either in transcribed interviews or in formal testimony before the committee," he said after the hearing. "I also believe the committee should now request a much more detailed, comprehensive, and classified briefing from government IT experts about the specific vulnerabilities that contractors pose to our government's cybersecurity."

Who Got Hacked First?

FBI investigators have said that when the OPM breach was discovered in April, they found that credentials obtained from a network breach at KeyPoint had been used to access OPM databases, CNN reports. The KeyPoint breach was first disclosed in December, and it may have exposed PII for almost 50,000 people.

Confusingly, however, CNN also reports that investigators believe that the OPM breach predated the KeyPoint intrusion. That means that attackers could have used stolen OPM credentials to first hack into KeyPoint.

At least three House and Senate committee hearings into the OPM breach are scheduled for this week, plus at least one closed-door hearing.

Experts Attribute Attack To China

To date, the FBI and White House have not attributed the OPM breach to any particular person or government. But multiple officials, again speaking on condition of anonymity, have blamed China. The Chinese government, however, has dismissed reports that it was involved in the breach.

But researchers at threat intelligence firm ThreatConnect, which discovered the breaches against Anthem and Premera - which they traced to Chinese attackers - say they believe that Chinese attackers were responsible for the OPM breach (see OPM Breach: The Unanswered Questions).

"Based on open source research and technical analysis, we believe that Chinese-based actors operating on behalf of the government of the People's Republic of China are responsible for the 2015 OPM breach," ThreatConnect researchers say in a blog post that traces hack attacks targeting PII for federal workers back to at least 2013. "Although the specific group(s) responsible for this activity have proven to be somewhat amorphous, many independent researchers and threat intelligence analysts with familiarity of this ongoing activity will concur that the ultimate benefactor of the stolen data is the central government in Beijing."

This particular attack group, ThreatConnect says, also appears to have targeted multiple Blue Cross and Blue Shield health insurers, including Anthem and Premera.

ThreatConnect says that the attacks are part of a coordinated campaign targeting federal workers' PII, which dates from at least 2013, when USIS fell victim to the aforementioned breach, which officials say likely exposed personal information for 25,000 government workers (see What's Behind OPM's Ousting of USIS?).

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.