opm data breach case study

The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation

House Oversight and Government Reform Chairman Jason Chaffetz (R-UT) released a staff report titled, The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation , chronicling the Committee’s year-long investigation into how highly personal, highly sensitive data of millions of Americans was compromised by a foreign adversary in 2015 . The report outlines findings and recommendations to help the federal government better acquire, deploy, maintain, and monitor its information technology.

As a result of one the Committee’s findings, Chairman Chaffetz sent a letter to the Government Accountability Office (GAO) requesting an opinion on whether the Office of Personnel Management (OPM) violated the Anti-Deficiency Act (ADA) when it accepted services from a company without payment.

Key findings, recommendations and an excerpt from the letter are below:

Key Findings:

• The OPM data breach was preventable.
• OPM leadership failed to heed repeated recommendations from its Inspector General, failed to sufficiently respond to growing threats of sophisticated cyber attacks, and failed to prioritize resources for cybersecurity.
• Data breaches in 2014 were likely connected and possibly coordinated to the 2015 data breach.
• OPM misled the public on the extent of the damage of the breach and made false statements to Congress

Key Recommendations:

• Reprioritize federal information security efforts toward zero trust.
• Ensure agency CIOs are empowered, accountable, and competent.
• Reduce use of social security numbers by federal agencies.
• Modernize existing legacy federal information technology assets.
• Improve federal recruitment, training, and retention of federal cybersecurity specialists

  Letter to GAO:

“In brief, we believe OPM violated the ADA when the agency retained and deployed CyTech’s software following a product demonstration, and never paid.”

A timeline of the breaches can be found here .

• Artificial Intelligence
• Generative AI
• Business Operations
• IT Leadership
• Application Security
• Business Continuity
• Cloud Security
• Critical Infrastructure
• Identity and Access Management
• Network Security
• Physical Security
• Risk Management
• Security Infrastructure
• Vulnerabilities
• Software Development
• Enterprise Buyer’s Guides
• United States
• United Kingdom
• Newsletters
• Foundry Careers
• Terms of Service
• Privacy Policy
• Cookie Policy
• Member Preferences
• About AdChoices
• E-commerce Links
• Your California Privacy Rights

Our Network

• Computerworld
• Network World

The OPM data breach 2 years on: What government agencies must do now

Recent reports show declining grades for government agencies’ efforts to improve cybersecurity. experts weigh in on what needs to be done..

The Office of Personnel Management (OPM) breach in June 2015 was a big wake up call to our federal government, and, in its wake, a number of initiatives were launched to improve the government’s cybersecurity posture. Despite several concrete improvements, progress has stalled in some areas, as demonstrated by a series of assessments conducted since the breach occurred.

In the fall of 2015, the Government Accountability Office (GAO) conducted its first assessment under the Federal IT Acquisition Reform Act, which covers cybersecurity as well as other areas of IT. Out of 24 agencies, none received an A, two received Bs, five got Cs, 14 got Ds and three agencies — the Department of Education, the Department of Energy and NASA — received failing grades.

Over the following six months, seven agencies raised their scores, and one saw its score go down. By the time of the following assessment, in late 2016, 12 agencies improved their scores and, again, one fell.  The most recent version of the scorecard, released by the House Oversight and Government Reform Committee on June 14, shows that progress had stalled. Only four agencies improved their scores, and five saw their scores fall.

Today, only one agency, US AID, scored an A. Seven agencies scored Bs, 10 got Cs, five got Ds, and one agency, the Department of Defense, fell to an F, according to a copy of the scorecard obtained by Federal News Radio. Zeroing in on the transparency and risk management scores, five agencies received failing grades.

The government had three main problem areas to address after the OPM breach: management, bureaucracy and the technology itself. While there has been some progress on the tech front, many of the bigger organizational issues remain.

The buck stops… where?

A key lesson of the OPM breach was that the problems started at the top. “The long-standing failure of OPM’s leadership to implement basic cyber hygiene, such as maintaining current authorities to operate and employing strong multi-factor authentication, despite years of warnings from the inspector general, represents a failure of culture and leadership, not technology,” the House Oversight Committee wrote in its 241-page report about the causes and consequences of the breach.

[  Related: OPM says second breach compromised 21 million records   ]

Real cybersecurity improvements start when an organization, including its top leaders, are aware of and engaged in the problem. The OPM actually improved in this area, from a B score last summer to an A in this month’s FITARA scrorecoard.

Other agencies fared poorly. In fact, leadership is one of the areas that saw the least progress after the OPM breach. Last August, nine agencies received Fs for the degree of authority of their CIOs. This improved only slightly this month, to seven.

In his testimony before the House Committee on Oversight and Government Reform earlier this month, Gartner research director Rick Holgate criticized the government’s slow improvements in this area. “If CIOs and agency leadership are not regularly interacting with each other, CIOs and IT professionals will forever be playing catch-up, leading to excess costs, performance gaps, and security flaws,” he told the committee.

The lack of accountability at the top of the organization was the number one lesson of the OPM breach, says Anthony Dagostino, global head of cyber risk at London-based Willis Towers Watson. Dagostino is an active member of the FBI’s Infragard program and is also involved with various working groups at the Department of Treasury, Department of Homeland Security and the Senate Commerce Committee.

Both President Barack Obama and President Donald Trump have directly addressed this issue in their cybersecurity executive orders, he says. “The executive orders really hold the executive department heads and agency heads responsible for cyber risk management and cybersecurity, instead of the IT department,” he says. Trump’s executive order was signed in March, and includes a number of measures designed to strengthen cybersecurity, including a mandate to use the NIST framework to manage risk.

“The NIST cybersecurity framework has really taken hold, not just in the government but across the US, and is becoming a de facto standard for looking at and assessing an organization’s cybersecurity posture,” says Richard Spires, chairman of the board at Resilient Network Systems and former CIO of the Department of Homeland Security.

“I think it sends the right message to agencies about how important this is,” he says. “Obviously, the proof is in actually doing it and carrying it out, but I think these are very positive steps that are being taken.”

Better technology

While the OPM received an A for its leadership in the latest FITARA scorecard, its overall score barely budged, from a D in October 2015 to a D+ this month. There were a number of areas in which OPM desperately needed to improve its technology. Users were able to access the systems with just passwords, for example, and the critical databases were not encrypted. Much of the infrastructure was old and out of date, and there was a lack of network security controls.

The lack of strong authentication was a particularly thorny problem because the federal government already had a two-factor system in place, the Personal Identity Verification card. OPM ignored that mandate, and none of the agency’s 47 major applications required PIV authentication, according to the audit report.

Since then, two-factor authentication has been deployed for all users accessing the OPM’s new National Background Investigations Bureau, launched last fall to replace the old Federal Investigative Services. In addition, government agencies — and the industry in general — are moving away from having large databases full of passwords or biometric data.

“The White House made a big push to make sure that OPM and every other agency is using strong authentication everwhere,” says Jeremy Grant, managing director for technology, business and strategy at Washington, D.C.-based Venable LLP. Grant headed the national strategy for trusted identity in cyberspace for the Obama administration.

One approach is the FIDO Alliance, which is a platform that allows websites and applications to authenticate users using scanners that store the biometric information on user devices, instead of in a central database. “The upcoming guidance from NIST recognizes FIDO as the highest level of assurance for authentication,” Grant says.

First, the system protects fingerprints, retina scans and other biometric information from being stolen in the first place, by storing it in a hardened, secure area on a smartphone or other device. Second, if the fingerprint image is stolen anyway, say, during the OPM breach, and someone creates a dummy finger with it, the attacker would also have to steal the user’s authentication device in order to make use of it, says Grant.

“They’d have to steal my phone, and incapacitate me so that I couldn’t use my Find my iPhone function and brick it,” he says. “And if someone has stolen my phone and has me incapacitated, I have much bigger problems.”

[  Related: The OPM breach report: A long time coming   ]

Some agencies do have to keep biometric data on file, he agrees. Police departments, for example, have to collect fingerprints at crime scenes. And, of course, the federal government has to collect fingerprints when it does its security checks.

“When you have to store highly sensitive information, it should be absolutely table stakes to use multi-factor authentication,” says Brett McDowell, executive director at the FIDO Alliance.

In addition, access should be limited to just those people who need it, says Gus Coldebella, attorney at Boston-based Fish & Richardson P.C. and former acting general counsel of the U.S. Department of Homeland Security under George Bush. “You have to determine if an employee is entitled to see some segment of information, and should be restricted to just that,” he says. “That employee might not actually be that employee. It might be a nation-state sponsored actor who successfully spear-phished the credentials.”

Finally, the information itself should be stored in encrypted form. OPM finally began a big encryption push in 2016, and will completed by the end of this year, OPM CISO Cord Chase told the House Oversight Committee in February.

One of the problems uncovered after the initial breach was that many of its systems were being used without a Security Assessment and Authorization. By the end of 2016, according to an audit report, 18 major systems still had no valid authorization in place.

In addition, the audit showed a significant staffing problem, which caused the OPM to backslide in its compliance with the Federal Information Security Management Act. “There has been an extremely high employee turnover rate for the ISSO positions, and OPM has struggled to backfill these vacancies,” said Michael Esser, OPM’s assistant inspector general for audits, in his report . “In addition, there have been five different individuals in the role of the chief information officer in the past three years.”

Finally, there’s the problem of old equipment. BeyondTrust surveyed federal IT managers earlier this year and found that 47 percent of federal agencies still use Windows XP. “Windows XP is highly insecure and many of the newer anti-virus, multi-factor authentication, and even security tools just do not work on unsupported platforms anymore,” says Morey Haber, VP of technology at Phoenix-based. “Commercial businesses will not make money or develop for platforms that are end of life. There is no sustainability model for it.”

According to Gartner’s Holgate, legacy systems in the federal government have an average age of 14 years, compared to 10 in the private sector.

In addition to ripping and replacing, one option is to move to cloud-based infrastructure. Here, too, the federal government lags behind. “Federal agencies reported in 2016 that they spend 3 percent of their total IT expenditures on cloud services,” says Holgate. “That is significantly less than private sector peers, for which benchmarking shows 12 percent.”

Moving to the cloud isn’t necessarily more secure, says Ken Kartsen, VP of federal sales at Santa Clara, Calif.-based McAfee LLC. Kartsen has been working with federal government clients in various areas of cybersecurity for nearly 20 years. “But if you look at the underlying infrastructure, especially infrastructure as a service, you at least start with a safe and secure system,” he says.

He has seen some progress in this area, he adds. “Two years ago, I didn’t know of any large component of infrastructure that was outsourced to the cloud,” he says. “Two years later, it’s very different. The momentum is definitely there.”

The FedRamp program, for example, pre-approves cloud vendors to make it easier and faster for government agencies to move to the cloud. “That shows to me that the government is moving very aggressively,” he says. “I think we’re going to see a lot more infrastructure outsourced over the next couple of years.”

Long-term impact is yet to be felt

The OPM breach was unlike most other breaches, and creates problems that can’t be fixed by reissuing credit cards and offering credit monitoring services. Nearly 22 million Social Security numbers were breached, which cannot be reissued. And that’s just the start.

There are also background investigations on people applying for security clearances, as well as their spouses, which includes things like criminal and financial histories and information about their friends, family members and business acquaintances. More than a million fingerprints were also lost. “The scariest thing is the fallout we haven’t yet seen, the potential corruption of data, the long-term effects of espionage on national security,” says Willis Towers Watson’s Dagostino. The data could be used to unmask covert agents, for example.

In addition, the sensitive background information can help a foreign power to find and recruit potential intelligence sources. “It was a great hit to the United States, and I don’t believe we’ve seen the full impact of it,” says Brian White, COO at Baltimore-based RedOwl. White has previously worked at the Department of Homeland Security. “And we are still not doing everything possible to protect our most sensitive information,” he adds.

Related content

Researcher discovers exposed servicebridge database, is the vulnerability disclosure process glitched how cisos are being left in the dark, aws environments compromised through exposed .env files, 3 key strategies for mitigating non-human identity risks, from our editors straight to your inbox.

Maria Korolov has been covering emerging technology and emerging markets for the past 20 years.

More from this author

What is biometrics 10 physical and behavioral identifiers that can be used for authentication, 3 strategies that can help stop ransomware before it becomes a crisis, how cisos can balance the risks and benefits of ai, insured companies more likely to be ransomware victims, sometimes more than once, siemens focuses on zero trust, legacy hardware, supply chain challenges to ensure cybersecurity of internal systems, ai-fueled search gives more power to the bad guys, how ai chatbot chatgpt changes the phishing game, cpra explained: new california privacy law ramps up restrictions on data use, most popular authors.

Show me more

China’s volt typhoon exploits versa zero-day to hack us isps and it firms.

Telegram founder’s arrest raises anxiety about future of end-to-end encryption

The Role of AI in Email Security: Beyond Phishing Detection

CSO Executive Sessions: Guardians of the Games - How to keep the Olympics and other major events cyber safe

CSO Executive Session India with Dr Susil Kumar Meher, Head Health IT, AIIMS (New Delhi)

CSO Executive Session India with Charanjit Bhatia, Head of Cybersecurity, COE, Bata Brands

Cybersecurity Insights for Tech Leaders: Addressing Dynamic Threats and AI Risks with Resilience

• Notice at Collection
• Your Privacy Choices
• Exercise Your Privacy Rights
• Artificial Intelligence
• Cybersecurity
• Emerging Tech
• Modernization
• Acquisition
• Digital Government
• Newsletters
• Customer Experience
• Cyber Defense
• Sponsored: Resource Center

Timeline: What We Know About the OPM Breach (UPDATED)

OPM Director Katherine Archuleta testifies on Capitol Hill in Washington, Tuesday, June 16, 2015. Cliff Owen/AP

Stay Connected

Law Enforcement Tech

Ai in the workplace.

By Aliya Sternstein and Jack Moore

A recent hearing yielded new details about how hackers were able to make off with data on millions of current and former federal employees.

Updated June 26

After no fewer than five congressional hearings and countless hours of testimony from government officials, we’re learning more about the massive breach of sensitive government files at the Office of Personnel Management.  

We’ve learned hackers first breached the Office of Personnel Management’s networks in late 2013, months before the earlier timeline laid out by officials. Although that intrusion is not believed to have led to the loss of personally identifiable information, it’s now believed hackers made off with IT system manuals that, officials say, could have provided a blueprint of sorts into OPM’s networks and laid the groundwork for future hacks.

The timeline below, first published June 17, has been extensively updated and revised. The timeline provides the key events leading up to the disclosure of the OPM mega-hack earlier this month including when intruders first breached government and contractors networks

The timeline is based on media reports, congressional testimony and other public records.

The earliest known malicious activity on OPM networks so far disclosed by government officials dates back to November 2013. Intruders don’t make off with any personally identifiable information, but they did steal manuals about OPM IT assets, which officials said acted as a blueprint to OPM networks. The malicious activity is not detected by OPM until March 2014.

A month later, officials say hackers first breach two contractors involved in conducting background investigations of national security workers: USIS and KeyPoint Government Solutions. The USIS intrusion may go back even further. Andy Ozment, a top DHS cyber official, told a Senate committee June 25 the malicious activity on USIS networks dates back to April 2013. Intruders had access to both contractors’ systems for months before being detected.

OPM officials first become aware of malicious activity on its networks. Intruders didn’t access PII, but they did make off with blueprints to OPM’s networks. The breach is not disclosed to the public. U.S. officials later tell reporters the attempt was thwarted, because they could not identify the loss of any personally identifiable information.

In May, OPM IT security personnel conducted a regular security review of USIS systems. The company’s information security systems “met or exceeded the requirements imposed by government customers,” according to cyber forensics firm Stroz Friedberg, which was retained by USIS.

Meanwhile, government investigators now say in May 2014, hackers breached a second OPM system holding information on federal employees’ background checks and other security clearance information. The breach would go undetected for nearly a year.

USIS first detects the breach of its networks (dating back to December 2013) and  notifies OPM in early June . The information is not made public. In congressional testimony this year, OPM officials said the attempted breach of OPM networks and that of USIS happened around the same time.  

The New York Times publicly reveal for the first time the OPM intrusion detected by the agency in March. The article, “ Chinese Hackers Pursue Key Data on U.S. Workers ,” is published July 9, 2014.

OPM sent an email to federal workers later that day. “Due to the constant monitoring systems in place at DHS and OPM, we were alerted to a potential intrusion of our network in mid-March,” according to the note, which was obtained and published by The Washington Post . OPM officials said there were no indications any employee information had been breached. Later, however, officials told Congress the hackers stole manuals describing agency IT systems. 

Multiple media reports reveal the USIS hack for the first time. In a statement, the company says the attack “has all the markings of a state-sponsored attack.” Officials initially said the USIS breach appeared unrelated to the March 2014 attempted intrusion at OPM. Some 27,000 Department of Homeland Security employees were believed to be affected. The number later rises to more than 31,000 and includes employees at the National Geospatial-Intelligence Agency, Immigration and Customs Enforcement and the U.S. Capitol Police. OPM suspends work with USIS and later decides not to renew its contracts with the company.

Officials from the U.S. Computer Emergency Readiness Team scan networks at both USIS and KeyPoint Government Solutions. Officials detect what have been characterized as two separate breaches at KeyPoint.  

One breach is estimated to affect as many 390,000 current and former DHS employees, contractors and even job applicants, who may have had their personal information exposed. It’s unclear when the hackers first entered KeyPoint systems, and this breach is not disclosed to the public until a June 15 AP article . Notification letters about the breach were mailed to employees beginning in April.

Separately, another KeyPoint breach is also detected by US-CERT in either August or September 2014. Officials have offered both dates. This breach -- which is the one officials can trace back to December 2013 -- may have exposed the data of more than 48,000 DHS employees. Despite the similarity in timing between the two KeyPoint breaches, DHS officials have maintained that the two are separate.

Malicious activity in OPM systems maintained in an Interior Department shared-services data centers begins. The activity is not detected until April of the following year. This is the beginning of the breach of more than 4.2 million federal employees' personnel files.

On Dec. 18, OPM alerts more than 48,000 federal employees about the potential exposure of personal information related to one of the KeyPoint breaches. OPM officials said there wasn’t conclusive evidence that hackers had made off with personally identifiable information.

At some point in April, OPM officials detected the cyber intrusion of personnel files stored at the Interior Department, now believed to have begun in October. The discovery came as the agency made cybersecurity improvements, officials said. OPM officials contacted DHS and the FBI. In early May, OPM learned employees’ personal records had in fact been exfiltrated from government systems.

On April 22, government officials testified before the House Oversight and Government Reform Committee about the 2014 USIS hack. OPM CIO Donna Seymour acknowledged both USIS and OPM were attacked by hackers around the same time in March 2014, but OPM thwarted the attack and was able to “put mitigations in place to better protect the information,” she testified.

In early May, an incident response team made up of DHS, the FBI and others inform OPM employees’ personal records, stored in an Interior Department shared-services data center, had in fact been exfiltrated from government systems starting in December.

Later, the investigation revealed additional systems covering background investigation data on current, former and prospective federal employees had also been breached.

OPM publicly announces data breach of personnel data systems affecting as many as 4.2 million current and former federal employees. Some officials say those estimates undercount the true scope of the attack.

Officials confirm a second OPM breach snared security clearance files of current, former and prospective federal employees. The data included “SF-86” forms, containing intimate details on their contacts, families and themselves. The number of people affected by the second intrusion remains unclear, officials said.

OPM officials face a grilling at a House Oversight and Government Reform Committee hearing. OPM Director Katherine Archuleta said employees’ Social Security numbers stored by OPM were not encrypted because it couldn’t be done feasibly with the agency’s antiquated systems.

Unconfirmed estimates of those affected by the data breach grew to as many as 14 million, though officials at the hearing declined to provide updated estimates and answers in open session about whether the data included information on military service members or intelligence community employees.

Amid an onslaught of congressional hearings about the breach, Archuleta reveals that hackers leveraged a compromised KeyPoint user credential to gain access to OPM’s network. It’s unclear how intruders netted the KeyPoint user's credential and also uncertain which breach of OPM systems the credential was subsequently used in.

Aliya Sternstein and Jack Moore contributed to this report. 

NEXT STORY: Passwords Aren't the Problem. You Are.

Help us tailor content specifically for you:

• USPS plan to reduce operating costs
• DLA launches mentor-protégé program
• Federal retirement means hard work
• Sports Schedule

Hubbard Radio Washington DC, LLC. All rights reserved. This website is not intended for users located within the European Economic Area.

Federal judge finalizes $63M settlement for OPM data breach victims

Victims of one of the largest data breaches to ever hit the federal government are one step closer to a payout, more than seven years later.

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on  Apple Podcast s  or  PodcastOne .

A federal judge on Friday finalized the Office of Personnel Management’s settlement agreement with current and former federal employees, as well as federal job applicants, impacted by a major data breach in 2015.

District Judge Amy Berman Jackson, in a fairness hearing at the U.S. District Court for the District of Columbia, said the $63 million settlement for breach victims was “fair, reasonable and adequate.”

         Learn about several AI initiatives taking place in government in our new ebook, sponsored by Carahsoft. | Download today!

Jackson made a preliminary approval of the settlement on June 7.

Court documents show nearly 20,000 individuals have already signed onto the class-action lawsuit, but individuals breach have until Dec. 23 to submit a claim to join the class-action lawsuit.

The law firm Girard Sharp, which represents plaintiffs in the lawsuit, said in June that the settlement will provide a minimum payment of $700 for individuals who suffered a financial loss as a result of the hack, “even for those with minor expenses.”

Everett Kelley, national president of the American Federation of Government Employees, a plaintiff in the lawsuit, called Friday’s court ruling a “significant victory for rank-and-file federal employees.”

“We look forward to continuing to educate our members whose personal information was compromised in this data breach about how they can take part in this settlement and receive the compensation they are due under the law,” Kelley said.

AFGE has emailed about a million potential victims informing them about the class-action lawsuit.

Additionally, plaintiffs have created targeted ads for current and former federal employees on social media, as well as print and radio ads to make them aware of a website about the class-action lawsuit.

Attorney Daniel Girard told Federal News Network in an email that the settlement will pay anyone who suffered an out-of-pocket loss tied to the data breach up to $10,000.

         Read more: Workforce

“AFGE should be commended for coming forward to initiate the suit and supporting the process throughout,” Girard said.

Eligible individuals must demonstrate they had their personal information compromised in the data breaches of OPM’s IT system in 2014 and 2015, or the breach of its contractor Peraton’s electronic information systems in 2013 and 2014.

Individuals, in order to receive a settlement award, must also be able to prove they suffered an out-of-pocket expense or lost compensable time as a result of identity theft or trying to protect themselves from identity theft.

The 2015 breach compromised the personally identifiable information (PII) of approximately 22 million current and former federal employees and job applicants.

About 2 million individuals signed up for free credit monitoring services OPM provided to data breach victims.

Among those affected by the breach, 14 individuals filed objections to the settlement.

Among the objections, individuals complained that it was difficult to document their losses more than seven years after first learning about the OPM breach.

         Want to stay up to date with the latest federal news and information from all your devices? Download the revamped Federal News Network app

The settlement only compensates those who can prove they were financially affected by the breach.

Another said the OPM data breach has caused “lifelong” damage, and that OPM providing free credit monitoring services through September 2026, as mandated by Congress, was insufficient.

Jackson said it “makes sense” that the credit monitoring services should eventually lapse, and that the federal government has done its due diligence in providing these services as long as it has, given the prevalence of data breaches in and out of government since 2015.

Individuals who wish to continue these credit monitoring services beyond the deadline, Jackson said, should do so “for their own peace of mind,” but out of their own pocket.

An OPM spokesperson referred requests for comment to the Justice Department, which did not immediately respond.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

• Go Apple's Website to download the APP
• Go Google's Website to download the APP

Jory Heckman is a reporter at Federal News Network covering U.S. Postal Service, IRS, big data and technology issues.

Follow @jheckmanWFED

Related Stories

3 years after data breach, OPM still struggling to modernize IT

OPM will continue free credit monitoring services with ID Experts for cyber breach victims

Appeals court rules OPM data breach left people vulnerable to harm

• 3 years after data breach, OPM still struggling to modernize IT Workforce
• OPM will continue free credit monitoring services with ID Experts for cyber breach victims Workforce
• Appeals court rules OPM data breach left people vulnerable to harm Workforce

Top Stories

• USPS improves on-time delivery in delay ‘hotspots’, but faces year-end challenges Top Story
• FedRAMP has a permanent director for first time in 3 years PEOPLE
• DoD set to start ramping up new military moving contract DEFENSE
• Intelligence community sparks new efforts to deepen ties with private sector INTELLIGENCE COMMUNITY
• First cohort of Air Force IT, cyber warrant officers to graduate in December DEFENSE

“Success Is Invisible, But Failure Is Public”: Examining The U.S. Office Of Personnel Management Data Records Breach

Access full-text files, journal title, journal issn, volume title.

In 2015, the U.S. Office of Personnel Management (OPM) suffered one of the largest governmentrelated data breaches in U.S. history. A total of 4.2 million personnel records, 21.5 million background check records, and 5.6 million sets of fingerprints were exfiltrated in a sophisticated, multi-stage cyber espionage operation linked to state-sponsored actors. Such a large data breach invited bipartisan criticism of the agency’s handling of the incidents and thrust the federal government’s cybersecurity preparedness into the limelight. This paper seeks to answer a set of five interrelated questions: 1) What happened in the 2015 U.S. Office of Personnel Management Data breach, and what were the impacts? 2) Did a lack of technical capability hinder OPM’s efforts to detect and block unauthorized access to its network? 3) Were organizational and management weaknesses more to blame? 4) Did the cybersecurity posture at OPM before the incidents change after the events in 2014 and 2015? 5) What can be done by the Office of Personnel Management to prevent or mitigate the damage from similar cyber activities in the future? To answer these questions, this paper first introduces the concept of the “cybersecurity toolkit” to better understand contemporary cyber issues. Second, the OPM case study is discussed, including a timeline of events and key actors. Third, this paper examines the technical, management, and compliance-related factors that contributed to the breaches, including a compilation and analysis of OPM Inspector General cybersecurity audit data from 2007 to 2017. Finally, this paper discusses the short- and long-term impacts of the OPM breach and offers recommendations to improve cybersecurity at OPM and within the federal government.

Description

Lcsh subject headings, collections.

Academia.edu no longer supports Internet Explorer.

To browse Academia.edu and the wider internet faster and more securely, please take a few seconds to  upgrade your browser .

Enter the email address you signed up with and we'll email you a reset link.

• We're Hiring!
• Help Center

A Case Study Analysis of the U.S. Office of Personnel Management Data Breech

2019, ResearchGate

User training and awareness is often touted as the strongest tool to resist cyberattacks, as users are often the primary attack vector used to gain access to environments (Thomas J. E., 2018). However, sometimes attackers have overwhelming knowledge and resources making them virtually unstoppable. The Office of Personnel Management (OPM) data breech was one of the most significant data breaches of 2015 (Fruhlinger, 2018). The OPM is responsible human resource management US Government (McGettigan, 2018). This breach affected some 20 million people (Brendan, 2016).

Related Papers

Computer and Information Science

Jason E Thomas

As the world continues to grow and embrace technology ransomware is a growing problem. When ransomware encrypts storage sytems, systems shutdown, productivity grinds to a halt, and serious long-term damage takes place. As this is a known problem many firms have developed functionality to address ransomware issues in key security technologies such as intrusion protection systems. Many firms, especially smaller ones, may not have access to these technologies or perhaps the integration of these technologies might not yet be possible due ot varying circumstances. Regardless, ransomware must still be addressed as cyber miscreants actually target weak and unprotected environment. Even without tools that automate and aggregrate security capability, systems administrators can use systems utilities, applications, and digital forensic techniques to detect ransomware and defend their environemnts. This paper explores the literature regarding ransomware attacks, discusses current issues on how ransomware might be addressed, and presents recommendations to detect and investigate ransomware infection.

One of the most difficult challenges in information security today is phishing. Phishing is a difficult problem to address because there are many permutations, messages, and value propositions that can be sent to targets. Spear phishing is also associated with social engineering, which can be difficult for even trained or savvy employees to detect. This makes the user the critical point of entry for miscreants seeking to perpetrate cyber crimes such as identity theft and ransomware propagation, which cause billions of dollars in losses each year. Researchers are exploring many avenues to address this problem, including educating users and making them aware of the repercussions of becoming victims of phishing. The purpose of this study was to interview security professionals to gain better insight on preventing users and employees from succumbing to phishing attack. Seven subject-matter experts were interviewed, revealing nine themes describing traits that identify users as vulnerable to attack or strongly resistive to attack, as well as training suggestions to empower users to resist spear phishing attacks. Suggestions are made for practitioners in the field and future research.

Gil Baram , Tal Pavel

The present paper reviews the main cyber events of 2016 from the perspective of governments. It outlines and analyzes key identifiable trends in cyber activities and policies worldwide such as the establishment of special national cyber strategies, enhancing research and development efforts, and strengthening international cyber collaborations and regulations. We focus mainly on major developments in the U.S, Russia, China, as well as other European and Asian powers. Our main findings show that while quantum computing and block chain technologies are developing rapidly and IoT and AI are picking up steam, governments are simultaneously improving their defensive and offensive capabilities and are trying to find new ways to deal with the emerging threats. Given the rapid pace of technological development, it remains to be seen whether these accelerated governmental efforts will succeed.

Smart Cities and Regional Development (SCRD) Journal

Oleksandr Tsaruk

The paper deals with phenomena arising from radical disruptions in numerous spheres of human activity that challenge the conventional understanding of security. Authors endeavour to contribute to understanding of these changes and the emerging paradigm. The notions of cyber security, information security in relation to the cyber-physical systems security, and information security in broader sense which describes safeguarding the information flows to cyberspace and media were considered. Authors explore modern manifestations of these threats, and then dive into the hybrid nature of the threats to cyber-and information security, describing cyber threats and cyber attacks as merged with existing 'conventional' techniques. The examination of hybrids threats-the cyber leverages to diplomacy, the practice of cyber retaliation, cyber sabotage and espionage, cyber weapons and the cyber arms race-was given.

Since the Korean War, stability in North and South Korean relations has been elusive. Over the past decade, hostilities have entered a digital phase as an increasingly tech-savvy North Korea has compromised public and commercial systems in South Korea with relative impunity. Perceiving North Korea as its greatest threat to cybersecurity, South Korea has focused virtually all of its cybersecurity efforts and resources towards defending against future cyber attacks from its northern neighbor. This paper examines the accuracy of South Korea’s threat assessment of North Korea and investigates the validity of South Korean cyber forensic techniques and intelligence. Furthermore, this research uses analyses of data from past cyber incursions in South Korea to determine the effectiveness of cybersecurity policies and attempts to determine if defensive and offensive strategies are appropriate, in both size and scope, for the danger that North Korea appears to represent. The author concludes that while South Korean assessments of North Korean cyber capabilities and involvement in cyber incursions are relatively accurate, there are ambiguities in the findings of cyber forensic analyses that may be incorrectly attributed to North Korea. As a result, current cyber strategies may be inadequate to defend against other possible state and non-state actors. In addition, this research finds that past cyber policies have weakened South Korean cybersecurity, and suggests that South Korea should shift towards broader more defensive strategies.

Levan Agniashvili

Proceedings of the Digital Privacy and Security Conference 2020

Hugo Barbosa , Carla Cordeiro

The Digital Privacy and Security Conference (DPSC) was first published in 2018 with the aim of disseminating the latest academic research on various subjects related to privacy and digital security. The objectives of our mission have been growing as well as the success of the editions of this conference. The conference proceedings aim to publish quality research for the benefit of the global academic community. We believe in the importance of education for society and the need to facilitate knowledge on a global scale. As the digital era matures, cyber security evolves and software vulnerabilities diminish, people however, as individuals, are more exposed today than ever before. In the context of digital privacy and security, attacker breach defences to access sensitive data and resources. The event will take place at the Lusofona University of Porto (ULP) the 15th January, 2020.

Book: Asian Defence Review 2018, Knowledge World Publishers, New Delhi

Dr. E. Dilipraj

Nikola Zlatanov

Computer security, also known as cybersecurity or IT security, is the protection of information systems from theft or damage to the hardware, the software, and to the information on them, as well as from disruption or misdirection of the services they provide.[1] It includes controlling physical access to the hardware, as well as protecting against harm that may come via network access, data and code injection,[2] and due to malpractice by operators, whether intentional, accidental, or due to them being tricked into deviating from secure procedures.[3] The field is of growing importance due to the increasing reliance on computer systems in most societies.[4] Computer systems now include a very wide variety of "smart" devices, including smartphones, televisions and tiny devices as part of the Internet of Things – and networks include not only the Internet and private data networks, but also Bluetooth, Wi-Fi and other wireless networks.

Self-Published

Michael Nycyk

Book three in the Cyber Library Reference Book series

Loading Preview

Sorry, preview is currently unavailable. You can download the paper by clicking the button above.

RELATED PAPERS

Artur Victoria

Stanislav Secrieru

Ryan C Maness

Journal of Cybersecurity Education, Research and Practice

Susan Ramlo, PhD , John B Nicholas

TECHNICAL EXPLOITATION IN THE GRAY ZONE: EMPOWERING NATO SOF FOR STRATEGIC EFFECT

chace falgout

Roger Bradbury , Paul N Cornish

Abdalla Yousif

International Journal of Management and Sustainability

Darrell Norman Burrell , Dr. Delores Springs

COMPARING AND CONTRASTING HOW THE UNITED STATES AND CHINA ADDRESS CYBERSECURITY

Kazem Agamy

Digital Humanitarian Network

Andrej Verity , Emma Amaral

Lumuli Gwakisa

PhD Thesis @uO Research

Baha Abu-Shaqra

Nicolas Castellon , erik frinking , Jacques Mukena

sanatan kulshrestha

Susan Davies

INTERNATIONAL JOURNAL OF INNOVATIVE RESEARCH IN ENGINEERING & MULTIDISCIPLINARY PHYSICAL SCIENCES

Colonel Balwan Nagial (Retired)

Julia Urbina-Pineda

RELATED TOPICS

•   We're Hiring!
•   Help Center
• Find new research papers in:
• Health Sciences
• Earth Sciences
• Cognitive Science
• Mathematics
• Computer Science
• Academia ©2024

• Notice at Collection
• Your Privacy Choices
• Exercise Your Privacy Rights
• Newsletters
• 2024 Election

More than 22.1 million people were impacted by the OPM breaches.  Andrew Brookes/Getty Images

Stay Connected

A Judge Has Finalized the $63M OPM Hack Settlement. Feds Now Have Two Months to Sign Up for Damages.

So far, more than 19,000 data breach victims are seeking payouts of up to $10,000..

• Cybersecurity

A federal judge on Wednesday formally finalized a $63 million settlement that will soon allow thousands of current and former federal employees to receive payouts as part of the agreement stemming from a 2015 breach of data maintained by the Office of Personnel Management.

District Judge Amy Berman Jackson said all parties had fulfilled their obligations since they reached a preliminary agreement in June, including taking proper steps to notify the victims of the hack of their eligibility to potentially receive monetary damages. Jackson added in her order the settlement is “fair, reasonable and adequate, and in the best interests of the class.” 

OPM disclosed two data breaches in 2015: one that exposed the personnel files of all current and former federal employees and another that released the personally identifiable information of all applicants for security clearances, as well as their families. Those individuals are set to receive a minimum of $700 and up to $10,000 from the agreement if they can prove they were victims of the hack and incurred out-of-pocket expenses or lost compensable time. More than 22.1 million people were impacted by the breaches. 

They now have until Dec. 23 to file a claim for damages. The plaintiffs are part of a class action lawsuit that reached a $63 million settlement earlier this year with OPM and its contractor, now known as Peraton Risk Decision Inc. As of the latest filing earlier this month, more than 19,000 employees have filed a claim . 

Jackson made clear the government and Peraton were not admitting guilt and would not play any part in doling out the settlement to class members. That role will fall to Epiq, the firm overseeing the implementation of the agreement. The court itself will retain jurisdiction over administration and interpretation of the settlement, Jackson said. The judge upheld the settlement over the objections of more than a dozen class members who submitted concerns. 

Nearly all of the 22 million impacted by the breach will no longer have any standing to sue the government or Peraton due to the hacks, except for the 114 individuals who proactively asked to be excluded from the settlement. 

In order to qualify for the payouts, hack victims must show they purchased their own credit monitoring or identity theft protection services, accessed a credit report or made efforts to mitigate an identity theft incident. Epiq, which said it expects more class members to file claims over the next two months, will review and audit all claims that it receives. Individuals must affirmatively make a claim to be eligible for monetary compensation, which they can do on OPMDataBreach.com . They are encouraged to provide documentation of their related expenses, for which they can be compensated up to $10,000.

In addition to providing notice to hack victims of the settlement and the steps for signing up, Epiq has overseen an advertising campaign to raise awareness of the agreement. The firm said it would make more than 700 million impressions through print, digital and social media ads. It is not yet clear exactly when breach victims could start receiving their compensation, though the court ordered the payouts to begin as expeditiously as possible after the Dec. 23 deadline. Epiq will also have to review and audit the claims it receives. 

The defendants have already agreed to pay the plaintiffs’ attorneys from Girard Sharp LLP $7 million in fees. Congress has mandated that OPM provide victims 10 years of credit monitoring and identity theft protections. The agency has signed two contracts with ID Experts to provide the services, the first worth $340 million and the second worth up to $416 million.

NEXT STORY: OPM's Ahuja Gets an Earful from Agencies Over Enhanced Pay for Cyber Talent

Help us tailor content specifically for you:

The devastating hack of the federal Office of Personnel Management, explained

by Timothy B. Lee

The Office of Personnel Management has been forced to admit , yet again, that the devastating hack of its computer systems was worse than the agency had previously acknowledged. The latest revelation: Fingerprint data from 5.6 million people has been stolen, a fivefold increase from the agency’s previous estimate of 1.1 million. Overall, the agency estimates that hackers took information related to 22 million people.

The hack has been such a disaster that OPM head Katherine Archuleta was forced to step down in July. Government inspectors had been warning for years that the agency’s IT systems were not properly secured, and Archuleta failed to properly secure them during her 20-month tenure as the head of the agency.

Information about the hacks at OPM, which is the human resources arm of the federal government, has been trickling out for months. OPM manages some of the most sensitive data the government has. The most alarming information obtained by the hackers — who are suspected to have ties to the Chinese government — was collected by US officials while conducting background checks for employees seeking security clearances. It includes information about federal employees’ substance abuse and gambling problems, financial difficulties, and mental health problems. Having this kind of information fall into Chinese hands would damage American national security for years to come.

OPM systems have been vulnerable for years

The federal government’s security monitoring practices are so weak that we don’t know how long the hackers had access to OPM systems. It appears the attacks had been underway for months when they were discovered in June.

The attackers appear to have had virtually unfettered access to OPM’s computer systems. They were finally detected when the government made improvements to Einstein, a system that monitors federal networks for suspicious activity. Network administrators realized that someone was downloading large volumes of data from OPM databases.

OPM’s inspector general has been warning for years that OPM’s security practices were inadequate. At a recent hearing, Rep. Jason Chaffetz (R-UT) read from a 2009 report by OPM’s inspector general warning of “continuing weakness in OPM information security programs.” He noted similar warnings in the 2010, 2012, and 2014 reports.

The attackers appear to have had virtually unfettered access to OPM's computer systems

Given that OPM hosts some of the most sensitive data in the federal government, these OPM reports should have set off alarm bells for Archuleta (who had been leading the agency since 2013) and her predecessors. The IG’s 2014 report did acknowledge that OPM had made some progress in locking down its systems. But obviously those changes weren’t sufficient to safeguard OPM’s data.

The stolen information was extremely sensitive

The hackers targeted two specific databases.

The first, known as eOPF, holds the kind of standard personnel data that any HR department collects: Social Security numbers, contact information, records about promotions, retirement benefits, and so forth. Having this kind of data about millions of federal employees would be a boon for a criminal looking to engage in identity theft, and it could be valuable for a foreign government, too.

But the real problem for the US comes from the other system that got compromised, known as EPIC. EPIC is a suite of applications that manage information collected during the intensive background-checking process the federal government does before giving someone a security clearance.

Among other things, EPIC stores federal employees’ responses to form SF-86 . That’s a 127-page form that asks employees about their past addresses, jobs, close friends, relatives, current and former spouses, foreign contacts, mental health problems, criminal record, illegal drug use, drinking problems, gambling problems, and bankruptcies.

Circumstantial evidence suggests that the Chinese government may be the culprit

US intelligence agencies collect this information because they want to ensure that people in sensitive positions don’t have relationships that could compromise their loyalty to the US and aren’t vulnerable to blackmail or bribery. Which, of course, makes the same information invaluable to a foreign government seeking to influence US personnel.

The Department of Defense maintains a separate database for security clearance decisions, but according to Ars Technica , OPM employees had access to the DOD data so they could cross-check records. So it’s likely that the hackers were able to access military personnel records as well. One agency that may have been spared is the CIA, which maintained a separate system for background checks that (as far as we know) has not been compromised.

China is the leading suspect

There are many ways for sophisticated hackers to cover their tracks, so definitively proving the source of any online attack is challenging. But media reports indicate that — despite Chinese denials — US officials believe the Chinese government is behind the attacks. While they’ve avoided publicly naming China as the attacker, they have also been preparing to retaliate .

Preventing future attacks will require a change in how the federal government thinks about security

Some cybersecurity experts believe the OPM attack was by a hacking group dubbed Deep Panda. The group is believed to have ties to the Chinese government and is also suspected in other recent attacks, including one on the insurance company Anthem discovered in February .

Sen. Susan Collins (R-ME), who serves on the Senate Intelligence Committee, has described the attacks as “extremely sophisticated,” suggesting the culprits had the resources of a nation state at their disposal.

Securing the federal government will require some big cultural changes

The revelations of the last three months will surely make Congress and Obama administration officials more focused on securing the federal government’s computer systems. But actually preventing future attacks will require more than additional resources — it will require a change in how the federal government thinks about security.

The conventional way the federal government approaches security is by making lists of security requirements — use this kind of encryption, require employees to use that kind of password — and then requiring every agency to comply with the requirements on the list. But as Ars Technica’s Sean Gallagher has written , this way of thinking misunderstands the nature of online security threats.

This checkbox approach to computer security is akin to evaluating the security of a building by checking the quality of the locks on the doors — without bothering to check if any windows have been left open. And it’s exacerbated by government agencies’ tendency to outsource IT work to a variety of different federal contractors. Often security vulnerabilities arise because no one checks to see if software remains secure when it’s combined with other software.

Security experts should be involved in every aspect of building and maintaining IT systems

Therefore, it’s important that agencies develop the capacity to perform security audits not only of individual systems but also across their entire network, to look for cases where decisions made by one contractor created security vulnerabilities elsewhere in an agency’s network. (Car companies are facing similar challenges as their products become more software-based.)

Effectively securing computer systems requires doing three things:

1) Security needs to become an integral part of the software design process. That means security experts should be involved in every aspect of building and maintaining IT systems. And the best security experts are almost all outside of government right now, so the feds need to work harder to recruit top security experts.

2) Agencies should hire “red teams” of seasoned hackers to attack their systems. No checklist is going to cover all the possible ways a computer system might be vulnerable. The only way to tell if a system is truly secure is to have security experts probe it for weaknesses.

3) The final and most difficult change is that government agencies — and especially agencies like OPM that hold highly sensitive information — need to take security concerns seriously. Identifying security problems won’t do any good unless the problems get fixed. And that will only happen if the agency’s leaders insist that it be a priority. Otherwise, the people in charge of building the software will be tempted to brush off security warnings as alarmist.

• Cybersecurity
• Privacy & Security

Most Popular

• Why I changed my mind about volunteering
• The staggering death toll of scientific lies
• Why Democrats aren’t talking much about one of their biggest issues
• The huge stakes in the Supreme Court’s new abortion case
• Take a mental break with the newest Vox crossword

Today, Explained

Understand the world with a daily explainer plus the most compelling stories of the day.

This is the title for the native ad

More in Explainers

The singer’s new album, Short n’ Sweet, is full of the sexy clown wordplay she’s known for.

Canadian railways locked out union workers Thursday after months of contract disputes.

The weirdest 2024 candidate endorsed Trump.

Pumpkin spice is America’s most hatable seasonal flavor. But Starbucks is leaning in even more heavily this year.

India has systemic problems with sexual violence.

The truth behind the ongoing controversy over the highly memeable dancer.

United States Department of Justice

Attorney advisor.

Washington, DC

United States

U.S. Army Reserve, Judge Advocate General's Corps

Judge advocate, scholarly papers (6).

• Original List
• All Versions Hide All Versions
• All Abstracts Hide All Abstracts

OPM Data Breach Case Study: Mitigating Personnel Cybersecurity Risk

The free press and national security: renewing the case for a federal shield law.

national security, shield law, free press, first amendment

The Mental Health of Our National Security: Protecting the Minds that Protect the Homeland

mental health, national security, military, war, health law

A Bipartisan Vehicle for Change: Proposing a Novel Investigative Framework Designed to Improve and Empower Congressional Investigations

congress, congressional, investigations, spot appropriation, spot appropriations, inspector general, legislative reform

Creativity and Diversity Strengthen the National Security Law Workforce

national security, employment, creativity, diversity, intelligence, military, foreign relations

Increasing International Legal Protections for Freedom of Expression

freedom of expression, free speech, freedom of religion, international law

To revisit this article, visit My Profile, then View saved stories .

• The Big Story
• Newsletters
• Steven Levy's Plaintext Column
• WIRED Classics from the Archive
• WIRED Insider
• WIRED Consulting

The Slow-Burn Nightmare of the National Public Data Breach

Data breaches are a seemingly endless scourge with no simple answer, but the breach in recent months of the background-check service National Public Data illustrates just how dangerous and intractable they have become. And after four months of ambiguity, the situation is only now beginning to come into focus with National Public Data finally acknowledging the breach on Monday just as a trove of the stolen data leaked publicly online.

In April, a hacker known for selling stolen information, known as USDoD, began hawking a trove of data on cybercriminal forums for $3.5 million that they said included 2.9 billion records and impacted “the entire population of USA, CA and UK.” As the weeks went on, samples of the data started cropping up as other actors and legitimate researchers worked to understand its source and validate the information. By early June, it was clear that at least some of the data was legitimate and contained information like names, emails, and physical addresses in various combinations.

The data isn't always accurate, but it seems to involve two troves of information. One that includes more than 100 million legitimate email addresses along with other information and a second that includes Social Security numbers but no email addresses.

“There appears to have been a data security incident that may have involved some of your personal information,” National Public Data wrote on Monday. “The incident is believed to have involved a third-party bad actor that was trying to hack into data in late December 2023, with potential leaks of certain data in April 2024 and summer 2024 … The information that was suspected of being breached contained name, email address, phone number, Social Security number, and mailing address(es).”

The company says it has been cooperating with “law enforcement and governmental investigators.” NPD is facing potential class action lawsuits over the breach.

“We have become desensitized to the never-ending leaks of personal data, but I would say there is a serious risk,” says security researcher Jeremiah Fowler, who has been following the situation with National Public Data. “It may not be immediate, and it could take years for one of the many criminal actors to successfully figure out how to use this information, but the bottom line is that a storm is coming.”

When information is stolen from a single source, like Target customer data being stolen from Target , it's relatively straightforward to establish that source. But when information is stolen from a data broker and the company doesn't come forward about the incident, it's much more complicated to determine whether the information is legitimate and where it came from. Typically, people whose data is compromised in a breach—the true victims—aren’t even aware that National Public Data held their information in the first place.

In a blog post on Wednesday about the contents and provenance of the National Public Data trove, security researcher Troy Hunt wrote , “The only parties that know the truth are the anonymous threat actors passing the data around and the data aggregator … We're left with 134M email addresses in public circulation and no clear origin or accountability.”

Even in a situation where a data broker has admitted to being breached—as is now the case with National Public Data—the stolen data may not be reliable and may have been combined with other datasets or processed in other ways. Hunt found, for example, that many email addresses in the dataset seemed to be paired with inaccurate personal information, and there were many duplicates and redundancies.

“There were no email addresses in the Social Security number files,” noted Hunt, who runs the website Have I Been Pwned (HIBP), which allows people to search their email addresses to see which, if any, data breaches they appear in. “If you find yourself in this data breach via HIBP, there's no evidence your SSN was leaked, and if you're in the same boat as me, the data next to your record may not even be correct.”

For people whose information was in the Social Security number dump, though, the risk of identity theft looms , forcing victims to freeze their credit, scour their credit reports, and set up financial monitoring services. Indeed, over the past few days, many people included in the data have begun receiving notifications about the breach from credit monitoring and threat intelligence services. And while the stolen data is imperfect, researchers warn that every trove of information that attackers can get their hands on ultimately fuels scamming, cybercrime, and espionage when combined and reconciled with the larger corpus of personal data that has been compiled by bad actors over the years.

“Each data breach is a puzzle piece, and we know that the bad guys and specific nations are also collecting this data," Fowler says. “When numerous breaches are combined in a systematic, organized, and searchable way they can provide a complete picture and data profile of individual citizens.”

You Might Also Like …

In your inbox: Our biggest stories , handpicked for you each day

How one bad CrowdStrike update crashed the world’s computers

The Big Story: How soon might the Atlantic Ocean break ?

Welcome to the internet's hyper-consumption era

National Public Data confirms massive data breach included Social Security numbers

Social security numbers, names, addresses, email addresses and phone numbers were in the 2.9 billion records within a data breach. security firm pentester.com tool tells you if your data is involved..

National Public Data, which aggregates data to provide background checks, has confirmed it suffered a  massive data breach  involving Social Security numbers and other personal data on millions of Americans.

The Coral Springs, Florida, company posted on its website a notice this week that "there appears to a have been a data security incident that may have involved some of your personal information. The incident is believed to have involved a third-party bad actor that was trying to hack into data in late December 2023, with potential leaks of certain data in April 2024 and summer 2024."

News about the breach first came from a class action lawsuit filed in U.S. District Court in Fort Lauderdale, Florida, and first reported on by  Bloomberg Law . Stolen from National Public Data (NPD) were 2.9 billion records including names, addresses, Social Security numbers and relatives dating back at least three decades, according to law firm  Schubert, Jonckheer & Kolbe , which filed the suit.

NPD said the breached data included names, email addresses, phone numbers and mailing addresses, as well as Social Security numbers. The company said it is cooperating with investigators and has "implemented additional security measures in efforts to prevent the reoccurrence of such a breach and to protect our systems."

National Public Data breach: Why you should be worried about massive data breach and what to do.

Identity protection: How and why to freeze your credit

How to check to see if your Social Security number, data were exposed

Cybersecurity firm Pentester said it got the data and created a tool you can use to see if your information is in the breach – it shows names, addresses, address histories, and Social Security numbers. You will find it at npd.pentester.com .

Because financial institutions use Social Security numbers on applications for loans and credit cards and on investments, having that information that information available to bad actors poses a serious risk, Pentester.com co-founder Richard Glaser said in an advisory on the company website.

He also suggested freezing credit reports. "Names, addresses and phone numbers might change, but your Social Security number doesn't," Glaser said.

Your wallet, explained. Sign up for USA TODAY's Daily Money newsletter.

Data breach: How to protect your credit

NPD also advised consumers to "closely monitor your financial accounts and if you see any unauthorized activity, you should promptly contact your financial institution." Consumers might want to get a credit report and get a fraud alert on their credit file, the company said.

Consumers should do more than that and freeze their credit report, Odysseas Papadimitriou, CEO of personal finance site WalletHub, told USA TODAY. “Placing a fraud alert is not as effective as freezing your report," he said.

"A fraud alert is more of a heads up to lenders, which they can easily ignore. It doesn’t do much in practice," Papadimitriou said. "A freeze, on the other hand, stops fraud in its tracks by preventing identity thieves from opening accounts in your name.”

He and other security experts suggest consumers take that step because the personal data is likely in the hands of hackers.

The class action suit alleges it was cybercriminal group USDoD that accessed NPD's network and stole unencrypted personal information. Then the group posted a database it said had information on 2.9 billion people on the dark web on about April 8, 2024, seeking to sell it for $3.5 million.

Follow Mike Snider on X and Threads:  @mikesnider  & mikegsnider .

What's everyone talking about? Sign up for our trending newsletter to get the latest news of the day

• Skip to main content
• Keyboard shortcuts for audio player

Data breaches have become a fact of modern life. How concerned should Americans be?

Alejandra Marquez Janse

Justine Kenin

Ailsa Chang

NPR's Ailsa Chang talks with MIT professor Stuart Madnick about the frequency of data breaches, and what people should do if their personal information is compromised in one.

Copyright © 2024 NPR. All rights reserved. Visit our website terms of use and permissions pages at www.npr.org for further information.

NPR transcripts are created on a rush deadline by an NPR contractor. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.

MEMBERSHIP PROGRAMS

• Law.com Pro
• Law.com Pro Mid-Market
• Global Leaders In Law
• Global Leaders In Law Advisers
• Private Client Global Elite

MEDIA BRANDS

• Law.com Radar
• American Lawyer
• Corporate Counsel
• National Law Journal
• Legal Tech News

New York Law Journal

• The Legal Intelligencer
• The Recorder
• Connecticut Law Tribune
• Daily Business Review
• Daily Report
• Delaware Business Court Insider
• Delaware Law Weekly

New Jersey Law Journal

• Texas Lawyer
• Supreme Court Brief
• Litigation Daily
• Deals & Transactions
• Law Firm Management
• Legal Practice Management
• Legal Technology
• Intellectual Property

Cybersecurity

• Law Journal Newsletters
• Analyst Reports
• Diversity Scorecard
• Kirkland & Ellis
• Latham & Watkins
• Baker McKenzie
• Verdict Search
• Law.com Compass
• China Law & Practice
• Insurance Coverage Law Center
• Law Journal Press
• Lean Adviser Legal
• Legal Dictionary
• Law Catalog
• Expert Witness Search
• Recruiters Directory
• Editorial Calendar

Legal Newswire

• Lawyer Pages
• Law Schools
• Women in Influence (WIPL)
• GC Profiles
• How I Made It
• Instant Insights
• Special Reports
• Resource Center
• LMA Member Benefits
• Legal Leaders
• Trailblazers
• Expert Perspectives
• Lawjobs.com
• Book Center
• Professional Announcements
• Asset & Logo Licensing

Content Source

Content Type

About Us  |  Contact Us  |  Site Map

Advertise  |  Customer Service  |  Terms of Service

FAQ  |  Privacy Policy

Copyright © 2021 ALM Global, LLC.

All Rights Reserved.

• Topics Litigation Transactional Law Law Firm Management Law Practice Management Legal Technology Intellectual Property Cybersecurity Browse All ›
• Surveys & Rankings Amlaw 100 Amlaw 200 Global 200 NLJ 500 A-List Diversity Scorecard Browse All ›
• Cases Cases Daily Decision Service
• All Sections Events Business of Law In-House Counsel In Practice Your Skills Your Career Special Supplements Classifieds Expert Witness Search Video Lawjobs Book Center CLE Center Law.com Radar Public Notices Sitemap

'A Wake-Up Call': Experts Assess Impact of SSN Data Breach Case

The breach became public knowledge this month after a California resident filed a class action lawsuit against background check company Jerico Pictures, doing business as National Public Data in Coral Springs, Florida, on Aug. 1 in the Southern District of Florida, Fort Lauderdale Division. The plaintiff is represented by Kopelowitz Ostrow, Arnold Law Firm and Wucetich Korovilas.

August 20, 2024 at 05:04 PM

9 minute read

Share with Email

Thank you for sharing, what you need to know.

• On Aug. 1, a class action was filed in the Southern District of Florida accusing a background check company of failing to prevent a data breach that reportedly exposed the Social Security numbers of 2.9 billion people.
• The suit became mainstream news last week, when the company, National Public Data, confirmed the data leak on its website.
• Cybersecurity experts and attorneys say that litigation has a complex and limited role in addressing the problem of recurring massive data breaches.

A data breach that reportedly exposed the personally identifiable information of 2.9 billion people, including Social Security numbers, has called mainstream attention to the conditions that enable massive data leaks and the complexities of litigating on behalf of their victims.

The breach became public knowledge this month after a California resident filed a class action lawsuit  against background check company Jerico Pictures, doing business as National Public Data in Coral Springs, Florida, on Aug. 1 in the Southern District of Florida, Fort Lauderdale Division. The plaintiff is represented by Kopelowitz Ostrow Ferguson Weiselberg Gilbert, Arnold Law Firm and Wucetich Korovilas.

Want to continue reading? Become an ALM Digital Reader for Free!

Benefits of a digital membership.

• Free access to 1 article* every 30 days
• Access to the entire ALM network of websites
• Unlimited access to the ALM suite of newsletters
• Build custom alerts on any search topic of your choosing
• Search by a wide range of topics

Register Now

Already have an account? Sign In Now

*May exclude premium content

You Might Like

AI-Powered Software Company Invoca Hit With Digital Privacy Class Action

By Kat Black

Settlement Dilemma in Data Breach Actions: Risk, Strategy, and Legal Insights

By Tommaso Baronio

DOJ, 8 State AGs Sue RealPage for Alleged Sherman Act Violations in Algorithmic Pricing Scheme

Who Got the Work: Wilmer Appears for Apple in Patent-Infringement Case

By Michelle Morgante

Trending Stories

Sidley Offers Associates 'Managing' Titles. Why Isn't It Catching On?

The American Lawyer

Clifford Chance Amsterdam Partner Bas Boris Visser Dies Unexpectedly

International Edition

Gibson Dunn Restructuring Partner Exits for Latham After 16 Months

SEC, Richard Heart Clash in Dueling Motions Over $1 Billion Unregistered Securities Litigation

A Law Firm Was Hacked. Now It Faces a Class Action Lawsuit

• 25 Years of the Am Law 200: Is Size as a Strategy a Winning Formula?
• People, Places & Profits, Part III: Are Law Firm Financial Metrics Keeping Pace With Inflationary Growth?
• The A-List, Innovation, and Professional Development: How Market Trends Are Impacting What it Takes to Be a Well-Rounded Firm

Featured Firms

Law Offices of Gary Martin Hays & Associates P.C. 75 Ponce De Leon Ave NE Ste 101 Atlanta , GA 30308 (470) 294-1674 www.garymartinhays.com

Law Offices of Mark E. Salomone 2 Oliver St #608 Boston , MA 02109 (857) 444-6468 www.marksalomone.com

Smith & Hassler 1225 N Loop W #525 Houston , TX 77008 (713) 739-1250 www.smithandhassler.com

Presented by BigVoodoo

More From ALM

• Events & Webcasts

The New York Law Journal honors attorneys and judges who have made a remarkable difference in the legal profession in New York.

The African Legal Awards recognise exceptional achievement within Africa s legal community during a period of rapid change.

Consulting Magazine identifies the best firms to work for in the consulting profession.

Description: Fox Rothschild has an opening in the West Palm Beach, FL office for an associate in our Labor & Employment Department. The ...

About Us:We are a dedicated small plaintiff personal injury trial law practice committed to providing personalized and thorough representati...

White Plains cyber security group seeks litigation law firm.Breach of contract $11,000,000 plusNow in Supreme court WestchesterWill conside...

Professional Announcement

Subscribe to The Recorder

Don't miss the crucial news and insights you need to make informed legal decisions. Join The Recorder now!

Already have an account? Sign In