opm data breach case study

• Artificial Intelligence
• Generative AI
• Business Operations
• IT Leadership
• Application Security
• Business Continuity
• Cloud Security
• Critical Infrastructure
• Identity and Access Management
• Network Security
• Physical Security
• Risk Management
• Security Infrastructure
• Vulnerabilities
• Software Development
• Enterprise Buyer’s Guides
• United States
• United Kingdom
• Newsletters
• Foundry Careers
• Terms of Service
• Privacy Policy
• Cookie Policy
• Member Preferences
• About AdChoices
• E-commerce Links
• Your California Privacy Rights

Our Network

• Computerworld
• Network World

The OPM hack explained: Bad security practices meet China’s Captain America

How the opm hack happened, the technical details, and a timeline of the infiltration and response..

In April of 2015, IT staffers within the United States Office of Personnel Management (OPM), the agency that manages the government’s civilian workforce, discovered that some of its personnel files had been hacked. Among the sensitive data that was exfiltrated were millions of SF-86 forms, which contain extremely personal information gathered in background checks for people seeking government security clearances, along with records of millions of people’s fingerprints . The OPM breach led to a Congressional investigation and the resignation of top OPM executives, and its full implications—for national security, and for the privacy of those whose records were stolen—are still not entirely clear.

OPM hack timeline

As the official Congressional report on the incident says, “The exact details of how and when the attackers gained entry … are not exactly clear.” Nevertheless, researchers have been able to construct a rough timeline of when the breaches began and what the attackers did.

The hack began in November of 2013, when the attackers first breached OPM networks. This attacker or group is dubbed X1 by the Congressional OPM data breach report. While X1 wasn’t able to access any personnel records at that time, they did manage to exfiltrate manuals and IT system architecture information. The next month, in December of 2013, is when we definitively know that attackers were attempting to breach the systems of two contractors, USIS and KeyPoint, who conducted background checks on government employees and had access to OPM servers (though USIS may have actually been breached months earlier).

In March of 2014, OPM officials realized they’d been hacked. However, they didn’t publicize the breach at that time, and, having determined that the attackers were confined to a part of the network that didn’t have any personnel data, OPM officials chose to allow the attackers to remain so they could monitor them and gain counterintelligence. OPM did plan for what they called the “big bang”—a system reset that would purge the attackers from the system—which they implemented on May 27, 2014, when the attackers began to load keyoggers onto database administrators’ workstations.

Unfortunately, on May 7, 2014, an attacker or group dubbed X2 by the report had used credentials stolen from KeyPoint to establish another foothold in the OPM network and install malware there to create a backdoor. This breach went undetected and the “big bang” didn’t remove X2’s access or the backdoor. In July and August of 2014, these attackers exfiltrated the background investigation data from OPM’s systems.

They weren’t done, though: by October 2014, the attackers had moved through the OPM environment to breach a Department of Interior server where personnel records were stored, and in December 2014 another 4.2 million personnel records were exfiltrated. Fingerprint data was exfiltrated in late March of 2015; finally, on April 15, 2015 , security personnel noticed unusual activity within the OPM’s networks, which quickly led them to realize that attackers still had a foothold in their systems.

How did the OPM hack happen? The technical details

It’s not entirely clear how X1 gained access to OPM’s networks, but OPM had already been roundly criticized for poor security practices in the period leading up to the intrusion. It’s also not entirely clear that X1 and X2 were the same person or group, but seeing as X1 stole information about OPM’s network that would’ve been helpful to X2’s agenda, the assumption is that they were at least working in tandem.

What is clear is that OPM’s technical leadership, overly confident that they had defeated X1 with the “big bang,” did not use the intrusion as a “wake up call” and failed to take measures that would have helped them detect X2. They had also largely failed to institute a number of important and recommended security measures , the most the important of which in the event was two-factor authentication . Under a two-factor authentication scheme, users need a chip-enhanced ID card that correlates with their username and password in order to log into the system. Without it, an attacker who manages to steal a valid username and password—as X2 did, using a login pilfered from KeyPoint—has free access to the system. OPM finally implemented two-factor authentication in January 2015, after X2 had already wormed their way into the network.

At any rate, once X2 had access to OPM systems, they used an Active Directory privilege escalation technique to obtain root access. This was used to install a variant of the PlugX malware, a remote access tool that allowed the attackers to navigate around OPM’s systems and compress and exfiltrate data, on several of OPM servers—including, crucially, the “ jumpbox ,” the administrative server that was used to log into other servers. Sakula , another linked piece of remote control malware, was installed around the same time.

OPM breach response

As noted, X2’s infiltration was finally detected on April 15, 2015 , when a security engineer was investigating encrypted SSL traffic on OPM’s networks. The researcher determined a beacon-like ping was connecting a component on OPM’s infrastructure called mcutil.dll to a website called opm­security.org. At very casual first glance this may seem on the up-and-up; but mcutil.dll looks like part of a McAfee security software suite, something OPM didn’t use, and opm­security.org, despite its name, wasn’t registered by the agency. In fact, mcutil.dll was cloaking the PlugX malware, and opm-security.org was one of several sites acting as command-and-control servers for the attackers. (The attackers had a sense of humor: the domain name, and others like it, were registered to “Steve Rogers” and “Tony Stark,” aka Marvel’s Captain America and Iron Man.)

The scramble to diagnose the problem and defeat the attackers, which quickly involved the government’s US-CERT emergency team, demonstrated some of the weaknesses in the OPM’s processes that had helped make the incident possible in the first place. Confusingly, it involved two security software vendors with similar names: Cylance  and CyTech.

The tool security staffers had used to detect the communication with opm­security.org was called Cylance V. Back in 2014 , the security team had pushed for the agency to license Protect, a higher-end product from Cylance. This was rejected by OPM IT, although the reasons given to Congressional investigators by OPM staff weren’t consistent; some said it was because the product wasn’t FedRAMP certified , while others cited the difficulty IT had installing it on individual workstations. At any rate, the justification was chalked up to office politics in testimony before the Oversight Committee.

Once it became clear that a breach was in progress, OPM staff requested help from Cylance to use Cylance V to diagnose forensic images of OPM servers. Since this was a task more suited to Cylance Protect, they rolled out that tool in a free trial mode, and it “ lit up like a Christmas tree .” At this point, OPM began using Protect extensively in its diagnostic process, despite not committing to license it from Cylance; they eventually agreed to do so on June 30th, a day before the trial period was set to elapse. Cylance did not actually receive payment for months.

Meanwhile, on April 21st , representatives from CyTech arrived at OPM for a long-scheduled appointment to demonstrate their CyFIR forensics program. The breach was not public knowledge at this point, and OPM staff did not share any information about it with company founder Ben Cotton, who was there to lead the demo. CyFIR also detected the malware, and Cotton immediately agreed to help with the response. Realizing that the crisis was grave enough to demand immediate action, Cotton began providing software and services based on a handshake agreement. OPM racked up more than $800,000 in bills from CyTech —but no contract was executed and CyTech was not paid.

Who hacked OPM?

While no “smoking gun” was found linking the attack to a specific perpetrator, the overwhelming consensus is that OPM was hacked by state-sponsored attackers working for the Chinese government. Among the evidence is the fact that PlugX, the backdoor tool installed on OPM’s network, is associated with Chinese-language hacking groups that have attacked political activists in Hong Kong and Tibet; the use of superhero names is also associated with groups tied to China.

OPM data would be considered extremely valuable to foreign intelligence services because it includes very sensitive information gathered as part of the process of granting security clearances. The CIA cancelled assignments for some officers in China in the wake of the breach, since many were to work undercover as State Department officials and would’ve been identifiable from the data gathered.

In August of 2017, the FBI arrested Yu Pingan, a Chinese national, as he arrived in the US to attend a conference, charging him with “ conspiring with others wielding malicious software known as Sakula ,” although the OPM hack was not explicitly mentioned. In September 2018, National Security Advisor John Bolton, at an event where the White House unveiled a new cybersecurity strategy, explicitly tied the attack to Beijing . In February of 2020, the United States Department of Justice formally charged four members of the Chinese military with the 2017 attack on Equifax that netted personally identifying information on millions of people; in the announcement of the indictment, the Equifax attack was explicitly linked to the OPM breach as part of the same larger operation. This was an extremely rare move—the U.S. rarely files criminal charges against foreign intelligence officers in order to avoid retaliation against American operatives—that underscored how seriously the U.S. government took the attack.

OPM hack lawsuit

Soon after the hack hit the news, two public employee unions sued OPM and KeyPoint over the breach, alleging that “OPM violated our constitutional right to informational privacy by recklessly disregarding its Inspector General’s warnings over many years about its IT security deficiencies.” The suit was thrown out in 2017 ; a judge ruled that the Privacy Act, the law that the suit was based on, used the word “disclosed” in relationship to data and that didn’t apply in cases where data was stolen but not publicly revealed. The case is currently being heard by an appeals court .

OPM hack credit monitoring

One way the federal government has tried to mitigate potential damage to individuals whose identities were hacked is via free credit monitoring and ID protection. These services will be available until 2025, although a recent change in vendors meant that some victims had to take steps to reapply for coverage . Two D.C. area members of the House have attempted to extend this protection for life , so far without success.

What will the OPM data breach cost the United States? Well, in credit monitoring services alone, the government will pay at least $133 million ; the total figure might eventually reach $1 billion .

OPM hack: 2018 and beyond

One of the eerie things about the hack is the absence of recent news. The Justice Department has been mum about Yu Pingan since his arrest. There was a case of small-time identity theft in the summer of 2018 that the Department of Justice seemed to imply involved personal data that had been stolen in the breach , but they later admitted they had been in error . As Arun Vishwanath, a cybersecurity researcher at the State University of New York at Buffalo, told Wired magazine , “We haven’t seen a single indication of this data being used anywhere. Yeah, we know the data is gone, but where did it go? What’s the purpose of all of this? No one has the answer to any of that.”

Related content

Download the hybrid cloud data protection enterprise buyer’s guide, global stability issues alter cyber threat landscape, eset reports, the inside story of cyber command’s creation, sec rule for finance firms boosts disclosure requirements, from our editors straight to your inbox.

Josh Fruhlinger is a writer and editor who lives in Los Angeles.

More from this author

Ddos attacks: definition, examples, and techniques, social engineering: definition, examples, and techniques, download the zero trust network access (ztna) enterprise buyer’s guide, malware explained: how to prevent, detect and recover from it, most popular authors.

• Microsoft Security

Show me more

Fcc proposes bgp security measures.

US AI experts targeted in cyberespionage using SugarGh0st RAT

Cycode rolls out ASPM connector marketplace, analysts see it as bare minimum

CSO Executive Sessions: The personality of cybersecurity leaders

CSO Executive Sessions: Geopolitical tensions in the South China Sea - why the private sector should care

CSO Executive Sessions: 2024 International Women's Day special

Sponsored Links

• Tomorrow’s cybersecurity success starts with next-level innovation today. Join the discussion now to sharpen your focus on risk and resilience.

To revisit this article, visit My Profile, then View saved stories .

• Backchannel
• Newsletters
• WIRED Insider
• WIRED Consulting

Brendan I. Koerner

Inside the Cyberattack That Shocked the US Government

The US OFFICE of Personnel Management doesn’t radiate much glamour. As the human resources department for the federal government, the agency oversees the legal minutiae of how federal employees are hired and promoted and manages benefits and pensions for millions of current and retired civil servants. The core of its own workforce, numbering well over 5,000, is headquartered in a hulking Washington, DC, building, the interior of which has all the charm of an East German hospital circa 1963. It’s the sort of place where paper forms still get filled out in triplicate.

The routine nature of OPM’s business made the revelations of April 15, 2015, as perplexing as they were disturbing. On that morning, a security engineer named Brendan Saulsbury set out to decrypt a portion of the Secure Sockets Layer (SSL) traffic that flows across the agency’s digital network. Hackers have become adept at using SSL encryption to cloak their exploits, much as online vendors use it to shield credit card numbers in transit. Since the previous December, OPM’s cybersecurity staff had been peeling back SSL’s camouflage to get a clearer view of the data sloshing in and out of the agency’s systems.

Soon after his shift started, Saulsbury noticed that his decryption efforts had exposed an odd bit of outbound traffic: a beacon-like signal pinging to a site called ­opm­security.org. But the agency owned no such domain. The OPM-related name suggested it had been created to deceive. When Saulsbury and his colleagues used a security program called Cylance V to dig a little deeper, they located the signal’s source: a file called mcutil.dll, a standard component of software sold by security giant McAfee. But that didn’t make sense; OPM doesn’t use McAfee products. Saulsbury and the other engineers soon realized that mcutil.dll was hiding a piece of malware designed to give a hacker access to the agency’s servers.

The Office of Personnel Management repels 10 million attempted digital intrusions per month—mostly the kinds of port scans and phishing attacks that plague every large-scale Internet presence—so it wasn’t too abnormal to discover that something had gotten lucky and slipped through the agency’s defenses. In March 2014, for example, OPM had detected a breach in which blueprints for its network’s architecture were siphoned away. But in this case, the engineers noticed two unusually frightening details. First, opmsecurity.org had been registered on April 25, 2014, which meant the malware had probably been on OPM’s network for almost a year. Even worse, the domain’s owner was listed as “Steve Rogers”—the scrawny patriot who, according to Marvel Comics lore, used a vial of Super-Soldier Serum to transform himself into Captain America, a member of the Avengers.

Registering sites in Avengers-themed names is a trademark of a shadowy hacker group believed to have orchestrated some of the most devastating attacks in recent memory. Among them was the infiltration of health insurer Anthem , which resulted in the theft of personal data belonging to nearly 80 million Americans. And though diplomatic sensitivities make US officials reluctant to point fingers, a wealth of evidence ranging from IP addresses to telltale email accounts indicates that these hackers are tied to China, whose military allegedly has a 100,000-strong cyber­espionage division. (In 2014 a federal grand jury in Pennsylvania indicted five people from one of that division’s crews, known as Unit 61398, for stealing trade secrets from companies such as Westinghouse and US Steel; all the defendants remain at large.)

Once Captain America’s name popped up, there could be little doubt that the Office of Personnel Management had been hit by an advanced persistent threat (APT)—security-speak for a well-financed, often state-sponsored team of hackers. APTs like China’s Unit 61398 have no interest in run-of-the-mill criminal activities such as selling pilfered Social Security numbers on the black market; they exist solely to accumulate sensitive data that will advance their bosses’ political, economic, and military objectives. “Everyone can always say, ‘Oh, yeah, the Pentagon is always going to be a target, the NSA is always going to be a target,’” says Michael Daniel, the cybersecurity coordinator at the White House, who was apprised of the crisis early on. “But now you had the Office of Personnel Management as a target?”

To figure out why the hackers had trained their sights on OPM, investigators would have to determine what, if anything, had been stolen from the agency’s network over the preceding year. But first they had to hunt down and eliminate the malware on its network, an archaic monstrosity that consisted of as many as 15,000 individual machines.

Brian Barrett

Steven Levy

Scott Gilbertson

CURTIS MEJEUR WAS a victim of dreadful timing. A wry and diminutive former marine who had served in Fallujah, where he mapped insurgent strongholds as part of an intelligence unit dubbed the Hobbits, Mejeur started work as one of OPM’s senior IT strategists on April 1, 2015. He was still getting acclimated to his new job when, on the morning of April 16, he was handed the most daunting assignment of his career: Lead the effort to snuff out the attack on the agency’s network.

Based on the little he’d already heard about the malware’s power and lineage, Mejeur was certain his investigation would uncover plenty of nasty surprises. But he wouldn’t have to deal with them alone; early that morning, a team of engineers from the US Computer Emergency Readiness Team, the Department of Homeland Security unit that handles digital calamities, marched into OPM’s headquarters. The engineers set up a command post in a windowless storage room in the sub­basement, just down the hall from where Saulsbury had discovered the hack less than 24 hours earlier.

Since they couldn’t trust OPM’s compromised network, the visitors improvised their own by lugging in workstations and servers that they could seal behind a customized firewall. Soon enough, the subbasement was filled with the incessant clatter of keyboards, occasionally punctuated by the hiss of a Red Bull being popped open. The dozen-plus engineers rarely uttered more than a few words to one another, which is how they prefer to operate.

One of the US-CERT team’s first moves was to analyze the malware that Saulsbury had found attached to mcutil.dll. The program turned out to be one they knew well: a variant of PlugX, a remote-access tool commonly deployed by Chinese-­speaking hacking units. The tool has also shown up on computers used by foes of China’s government, including activists in Hong Kong and Tibet. The malware’s code is always slightly tweaked between attacks so firewalls can’t recognize it.

The hunt to find each occurrence of PlugX continued around the clock and dragged into the weekend. A sleeping cot was squeezed into the command post, where temperatures became stifling when the building’s air conditioners shut off as usual on Saturdays and Sundays.

The hunt turned up not just malware but also the first inklings of the breach’s severity. A technician from the security software company Cylance, who was supporting the effort, spotted encrypted .rar files that the attackers had neglected to delete. He knew that .rar files are used to store compressed data and are often employed by hackers to shrink files for efficient exfiltration. In an email to Cylance CEO Stuart McClure on Sunday, April 19, the technician was blunt in his assessment of OPM’s situation: “They are fucked btw,” he wrote.

By Tuesday the 21st, having churned through a string of nearly sleepless days and nights, the investigators felt satisfied that they’d done their due diligence. Their scans had identified over 2,000 individual pieces of malware that were unrelated to the attack in question (everything from routine adware to dormant viruses). The PlugX variant they were seeking to annihilate was present on fewer than 10 OPM machines; unfortunately, some of those machines were pivotal to the entire network. “The big one was what we call the jumpbox,” Mejeur says. “That’s the administrative server that’s used to log in to all the other servers. And it’s got malware on it. That is an ‘Oh feces’ moment.”

By controlling the jumpbox, the attackers had gained access to every nook and cranny of OPM’s digital terrain. The investigators wondered whether the APT had pulled off that impressive feat with the aid of the system blueprints stolen in the breach discovered in March 2014. If that were the case, then the hackers had devoted months to laying the groundwork for this attack.

At first, the investigators left each piece of malware in place, electing only to throttle its ability to send outbound traffic; if the attackers tried to download any data, they would find themselves confined to dial-up speeds. But on April 21, Mejeur and the US-CERT team began to discuss whether it was time to boot the attackers, who would thus learn that they’d been caught. “If I miss one remote-access tool, they’ll come back in through that variant, they’ll reestablish access, and then they’ll go dormant for six months to a year at least,” says a US-CERT incident responder who participated in the OPM investigation and who agreed to speak on the condition he remain anonymous. “And then a year later, they’ve now put malware in a lot of different places, and you don’t know what’s happening because you think you already mitigated the threat.”

The debate continued until the evening of Friday, April 24, when an opportunity presented itself: As part of a grid modernization program in Washington, OPM’s building was scheduled to have its power cut for several hours. The team decided that, even though it would mostly be just a psychological triumph, they would dump the malware just minutes before the blackout. If the attackers were monitoring the network, they wouldn’t realize their access had been cut until everything finished booting up at least 12 hours later.

By the time power was restored on the 25th, the hackers no longer had the means to roam OPM’s network—or at least that’s what everyone hoped. The investigators could finally turn toward piecing together what the attackers had hauled away.

There is a common misperception that the surest way to frustrate hackers is to encrypt data. But advanced persistent threats are skilled at routing around such measures. The first item groups like these usually swipe is the master list of credentials—the usernames and passwords of everyone authorized to access the network. The group’s foot soldiers will then spend weeks or months testing those credentials in search of one that offers maximum system privileges; the ideal is one that belongs to a domain administrator who can decrypt data at will. To minimize their odds of tripping any alarms, the attackers will try each credential only once; then they’ll wait hours to try the next. Since these hackers are likely salaried employees, investing that much time in an attack is just part of the job.

There is a straightforward way to foil this approach: multifactor authentication, which requires anyone logging in to a network to be in physical possession of a chip-enhanced ID card that correlates with their username and password. OPM has such an authentication scheme, but it wasn’t fully implemented until January 2015—too late to prevent the PlugX attack. The beacon that connected to opm­security.org helped the attackers keep their foothold in the network.

When hackers utilize genuine credentials, life becomes difficult for those who specialize in post­­attack forensics. Investigators must determine when authorized credential holders weren’t using their accounts at times when the records state otherwise. And the only way to accomplish that is through face-to-face interviews: For nearly a month, Mejeur and the US-CERT engineers grilled hundreds of OPM employees in groups of six. Since human memories are so faulty, the investigators counted themselves fortunate when an employee was able to recall that they had been on vacation while their credential was in use for a particular week; the team could then analyze that account’s activity during that span, confident that a hacker was responsible for it all.

As the investigators laboriously sifted through interview transcripts and network logs, they created a rough timeline of the attack. The earliest incursion they could identify had been made with an OPM credential issued to a contractor from KeyPoint Government Solutions. There was no way to know how the hackers had obtained that credential, but the investigators knew that KeyPoint had announced a breach of its own in December 2014. There was a good chance that the hackers had first targeted KeyPoint in order to harvest the single credential necessary to compromise OPM.

Once established on the agency’s network, they used trial and error to find the credentials necessary to seed the jumpbox with their PlugX variant. Then, during the long Fourth of July weekend in 2014, when staffing was sure to be light, the hackers began to run a series of commands meant to prepare data for exfiltration. Bundles of records were copied, moved onto drives from which they could be snatched, and chopped up into .zip or .rar files to avoid causing suspicious traffic spikes. The records that the attackers targeted were some of the most sensitive imaginable.

The hackers had first pillaged a massive trove of background-check data. As part of its human resources mission, OPM processes over 2 million background investigations per year, involving everyone from contractors to federal judges. OPM’s digital archives contain roughly 18 million copies of Standard Form 86, a 127-page questionnaire for federal security clearance that includes probing questions about an applicant’s personal finances, past substance abuse, and psychiatric care. The agency also warehouses the data that is gathered on applicants for some of the government’s most secretive jobs. That data can include everything from lie detector results to notes about whether an applicant engages in risky sexual behavior.

The hackers next delved into the complete personnel files of 4.2 million employees, past and present. Then, just weeks before OPM booted them out, they grabbed approximately 5.6 million digital images of government employee fingerprints.

When OPM went public with news of the hack in early June, speculating about the attackers’ plans for the data became a popular Beltway pastime: Some of the theories involved a Chinese plot to recruit agents and, more outlandishly, a scheme to graft finger­prints onto Chinese spies so they could foil biometric sensors. But concrete evidence of the hackers’ long-term intentions remains virtually nonexistent, which may be the scariest part of all.

“We haven’t seen a single indication of this data being used anywhere,” says Arun Vishwanath, a cybersecurity researcher at the State University of New York at Buffalo. “Yeah, we know the data is gone, but where did it go? What’s the purpose of all of this? No one has the answer to any of that.”

THE CONGRESSIONAL HEARINGS that take place in the wake of national calamities often have a vicious edge, and the one looking into the OPM hack was no exception. The agency’s director, Katherine Archuleta, turned in a clumsy performance before the House Oversight Committee: She failed to offer a clear idea of how many people had been affected by the attack, and she seemed to duck personal responsibility by repeatedly mentioning how difficult it is to secure OPM’s aging “legacy systems.” The committee’s members reacted with predictable scorn.

“I wish that you were as strenuous and hardworking at keeping information out of the hands of hackers as you are keeping information out of the hands of Congress and federal employees,” chided representative Stephen Lynch (D-Massachusetts).

Damning details about OPM’s porous security emerged at the hearing. The agency’s own assistant inspector general for audits testified about what he characterized as a “long history of systemic failures to properly manage its IT infrastructure.”

The tone of the hearings struck some observers as overly brutal. The OPM brain trust received no credit for implementing the SSL decryption program that had led to the attack’s discovery, nor for acting fast to quell the threat. “They could easily have just buried all this stuff and no one would ever have known,” says Stuart McClure, the Cylance CEO. “But they were highly pro­active—they just wanted to do what was right.”

But political dramas of this sort seldom end in acts of mercy: Archuleta resigned under pressure, and her CIO, Donna Seymour, opted for retirement days before she was to endure another round of grilling by the House committee. The two executives’ departures struck fear into their peers across the federal bureaucracy. “It was easy for people to see themselves in OPM and ask the question ‘What do we have that people might care about that we hadn’t thought about before?’” says Michael Daniel, the White House cyber­security coordinator who previously spent over a decade overseeing the intelligence community’s budget while at the Office of Management and Budget.

These newly frightened agency heads made for a receptive audience during the Cybersecurity Sprint, a White House initiative that aimed to improve security throughout the government in a mere 30 days. Held in June 2015, the Sprint was the idea of Tony Scott, who had become the third-ever US federal CIO just five months earlier. “Don’t waste a good crisis,” says Scott, a bearlike and avuncular veteran of Microsoft and Disney. He pressed agencies to spend the Sprint focusing on what he terms “basic hygiene”—that is, making simple upgrades that can drastically reduce an organization’s susceptibility to attack. These include measures such as keeping current with the latest software patches, reducing the number of network users with administrative privileges, and, above all, broadening the adoption of multifactor authentication. According to Scott, the federal government’s use of smartcards for multifactor authentication increased by more than 70 percent during the Sprint.

As the Sprint neared its end in July, Scott and Daniel began to work on a longer-term response to the OPM fiasco—a set of policy goals that they hoped would revolutionize the federal government’s approach to cybersecurity. The document they eventually produced, with substantial input from the likes of the Pentagon and the National Institute of Standards and Technology, became known as the Cybersecurity National Action Plan. First publicly announced by President Obama in February 2016, it calls for billions to be set aside for several critical projects, such as upgrading outmoded systems.

CNAP also stresses the need for better cooperation between the private and public sectors—something that might have made the OPM hack far less severe. In February 2015, in its published analysis of the Anthem hack, the security firm Threat­Connect wrote about its discovery of a suspicious domain registered to “Tony Stark”—the alter ego of Iron Man. That domain was named opm-learning.org. Had anyone at OPM been made aware of ThreatConnect’s finding that month, the agency’s security staff might have started to look for malware right away. But the tip never reached the sub­basement at OPM headquarters.

But the plan pays too little attention to a fundamental flaw in our approach to security: We’re overly focused on prevention at the expense of mitigation. One reason these attackers can do so much damage is that the average time between a malware infection and discovery of the attack is more than 200 days, a gap that has barely narrowed in recent years.

“We can’t operate with the mindset that everything has to be about keeping them out,” says Rich Barger, ThreatConnect’s chief intelligence officer. “We have to operate knowing that they’re going to get inside sometimes. The question is, how do we limit their effectiveness and conduct secure business operations knowing they’re watching?” Accomplishing that means building networks that are designed to limit a hacker’s ability to maneuver and creating better ways to detect anomalous behavior by allegedly authorized users.

A cybersecurity overhaul of this magnitude will, of course, require an abundance of talent. And that means much depends on how well government recruiters can convince the best engineers that being locked in a high-stakes competition with supervillain-­esque adversaries is more exciting than working in Silicon Valley. Perhaps it will be an easy sell. After all, improving a commercial antivirus program, no matter how highly paid a gig, simply doesn’t have the romantic appeal of battling Unit 61398 for world supremacy.

This article appears in our special November issue , guest-edited by President Barack Obama. Subscribe now .

Andy Greenberg

Matt Burgess

Dhruv Mehrotra

• Best Places to Work in govt
• Another cyber leader leaves govt
• TMF's first investment in GenAI
• Sports Schedule

Hubbard Radio Washington DC, LLC. All rights reserved. This website is not intended for users located within the European Economic Area.

Federal judge finalizes $63M settlement for OPM data breach victims

Victims of one of the largest data breaches to ever hit the federal government are one step closer to a payout, more than seven years later.

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on  Apple Podcast s  or  PodcastOne .

A federal judge on Friday finalized the Office of Personnel Management’s settlement agreement with current and former federal employees, as well as federal job applicants, impacted by a major data breach in 2015.

District Judge Amy Berman Jackson, in a fairness hearing at the U.S. District Court for the District of Columbia, said the $63 million settlement for breach victims was “fair, reasonable and adequate.”

         Learn about extensive AI initiatives happening at CDC, as well as the departments of Energy and Veterans Affairs in our new ebook, sponsored by Maximus. | Download today!

Jackson made a preliminary approval of the settlement on June 7.

Court documents show nearly 20,000 individuals have already signed onto the class-action lawsuit, but individuals breach have until Dec. 23 to submit a claim to join the class-action lawsuit.

The law firm Girard Sharp, which represents plaintiffs in the lawsuit, said in June that the settlement will provide a minimum payment of $700 for individuals who suffered a financial loss as a result of the hack, “even for those with minor expenses.”

Everett Kelley, national president of the American Federation of Government Employees, a plaintiff in the lawsuit, called Friday’s court ruling a “significant victory for rank-and-file federal employees.”

“We look forward to continuing to educate our members whose personal information was compromised in this data breach about how they can take part in this settlement and receive the compensation they are due under the law,” Kelley said.

AFGE has emailed about a million potential victims informing them about the class-action lawsuit.

Additionally, plaintiffs have created targeted ads for current and former federal employees on social media, as well as print and radio ads to make them aware of a website about the class-action lawsuit.

Attorney Daniel Girard told Federal News Network in an email that the settlement will pay anyone who suffered an out-of-pocket loss tied to the data breach up to $10,000.

         Read more: Workforce

“AFGE should be commended for coming forward to initiate the suit and supporting the process throughout,” Girard said.

Eligible individuals must demonstrate they had their personal information compromised in the data breaches of OPM’s IT system in 2014 and 2015, or the breach of its contractor Peraton’s electronic information systems in 2013 and 2014.

Individuals, in order to receive a settlement award, must also be able to prove they suffered an out-of-pocket expense or lost compensable time as a result of identity theft or trying to protect themselves from identity theft.

The 2015 breach compromised the personally identifiable information (PII) of approximately 22 million current and former federal employees and job applicants.

About 2 million individuals signed up for free credit monitoring services OPM provided to data breach victims.

Among those affected by the breach, 14 individuals filed objections to the settlement.

Among the objections, individuals complained that it was difficult to document their losses more than seven years after first learning about the OPM breach.

         Want to stay up to date with the latest federal news and information from all your devices? Download the revamped Federal News Network app

The settlement only compensates those who can prove they were financially affected by the breach.

Another said the OPM data breach has caused “lifelong” damage, and that OPM providing free credit monitoring services through September 2026, as mandated by Congress, was insufficient.

Jackson said it “makes sense” that the credit monitoring services should eventually lapse, and that the federal government has done its due diligence in providing these services as long as it has, given the prevalence of data breaches in and out of government since 2015.

Individuals who wish to continue these credit monitoring services beyond the deadline, Jackson said, should do so “for their own peace of mind,” but out of their own pocket.

An OPM spokesperson referred requests for comment to the Justice Department, which did not immediately respond.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

• Go Apple's Website to download the APP
• Go Google's Website to download the APP

Jory Heckman is a reporter at Federal News Network covering U.S. Postal Service, IRS, big data and technology issues.

Follow @jheckmanWFED

Related Stories

3 years after data breach, OPM still struggling to modernize IT

OPM will continue free credit monitoring services with ID Experts for cyber breach victims

Appeals court rules OPM data breach left people vulnerable to harm

• 3 years after data breach, OPM still struggling to modernize IT Workforce
• OPM will continue free credit monitoring services with ID Experts for cyber breach victims Workforce
• Appeals court rules OPM data breach left people vulnerable to harm Workforce

Top Stories

• VA building out career development portal to boost cyber skills Top Story
• The White House says FDIC chairman to step down following report on agency's 'toxic culture' WORKFORCE
• EPA warns of increasing cyberattacks on water systems, urges utilities to take immediate action TECHNOLOGY
• 2023 Best Places to Work marks a turning point in employee engagement WORKFORCE
• USPS rejects calls for regulator to weigh in on now-paused network modernization plans AGENCY OVERSIGHT

• Skip to main content
• Keyboard shortcuts for audio player

All Tech Considered

Privacy & security, one year after opm data breach, what has the government learned.

Brian Naylor

Beth Cobert says cybersecurity has been boosted since she took over as acting director of the Office of Personnel Management last summer. Manuel Balce Ceneta/AP hide caption

Beth Cobert says cybersecurity has been boosted since she took over as acting director of the Office of Personnel Management last summer.

This week marks a year since the government first revealed that hackers had stolen personnel files of some 4 million current and former federal employees.

About a month later, that number grew to more than 20 million people, including contractors, family members and others who had undergone background checks for federal employment. Everything, from Social Security numbers to birth dates, even fingerprint records, was accessed through Office of Personnel Management networks.

"Massive Data Breach," the headlines called it.

So has anything changed in the succeeding 12 months?

Acting OPM Director Beth Cobert thinks so. "There's a whole series of things around technology, around people, and around process that are different today than a year ago," she says.

Cobert is herself one of the changes at OPM, named to replace Katherine Archuleta, who resigned under pressure from Congress last July.

Related NPR Stories

The Two-Way

Irs and cybercriminals step up spy vs. spy efforts. who's winning.

OPM Director Archuleta Resigns In Wake Of Data Breaches

National security, white house announces 'cybersecurity sprint' in response to opm hack.

Cobert says cybersecurity has been amped up at OPM under her watch. The agency now requires employees to use two-factor authentication to log into their computers, meaning a password and a secure card. Employees can no longer access their Gmail accounts from their office computers. OPM has also implemented new tools to detect malware. Colbert says the government can see all the devices connected to its networks as well as monitor the data moving into and out of the system.

"There's a whole series of multilayer defenses we've put into our systems," she says.

It's still unclear how exactly the data were stolen, but investigators believe that hackers may have gained access to the government system through a contractor's website. So the Departments of Defense and Homeland Security have been helping OPM design a new, more secure software system to allow the personnel agency to conduct its own government background checks rather than outsourcing them.

"[OPM] had older systems, that needed to be modernized," says Ann Barron-DiCamillo , who led the DHS cyber team that investigated the OPM breach. "They had neglected networks from the perspective of putting in the cybersecurity sensors and technologies that they need to find adversaries in the network."

If Cybersecurity Is An Arms Race, Then How Is The U.S. Doing?

Plus, OPM workers were using weak usernames and passwords, she says. "The majority of things that were hitting OPM at that time was going to be your typical phishing scams, you know, targets of opportunity," Barron-DiCamillo tells NPR's Audie Cornish. Barron-DiCamillo says much attention has been paid to brand-new vulnerabilities, but in many cases, on older civilian systems, hackers exploit older vulnerabilities that have existing fixes that aren't adopted fast enough — in many cases out of budget constraints.

"[The OPM hack] brought into the forefront that smaller-sized, medium-sized agencies that didn't consider themselves to be such a threat to cyberactivity from data thieves, that they also have this potential publicity associated with becoming a target and becoming a victim," Barron-DiCamillo says. "They have increased the spending associated with that or are asking Congress for increased budgets."

Rep. Will Hurd, chairman of the information technology panel of the House Oversight Committee, says OPM may be moving in the right direction now, but vulnerabilities remain across government agencies — whether it's the Department of Education, which he says has "tons of information on anyone who's going to school," or the Social Security Administration.

"They're not even adopting some of the best practices when it comes to good digital system hygiene," says Hurd, a former CIA agent whose personnel records were among those hacked.

It took OPM some six months to formally notify the millions who had their records breached. They're now eligible for three years of credit monitoring and identity theft protection services .

Hurd says he personally hasn't noticed any ill effects from the stolen records, but Ryan Lozar thinks he has.

The former federal court law clerk says he froze his bank accounts after someone spent thousands at Best Buy in his name and opened a PayPal account. The hack has caused him "endless explaining, explaining, explaining," dealing with his banks," Lozar says. "It's just kind of exhausting and frustrating."

Lozar is a plaintiff in a class-action suit filed against the government by the American Federation of Government Employees. Among other things, it seeks monetary damages as well as lifetime credit monitoring and identity theft protection for the affected people. A hearing is expected this fall.

Barron-DiCamillo says her information was also part of the breach. She encourages those affected to use the free credit monitoring and identity theft protection services — and make sure to monitor them.

"There's an interesting discussion I heard from OPM that they should even offer [lifetime identity theft protection] as part of federal benefits, because of the kinds of data that they mandate that we provide to them when we sign up for service in federal government," says Barron-DiCamillo, who's now chief technology officer at Strategic Cyber Ventures. "I thought that was a great idea; I think they should look toward providing this as a benefit, just like health care that they provide for federal employees."

Government officials have pointed to China as being behind the breach. Whoever it is, Cobert acknowledges that the U.S. government still has work to do.

"There's a whole set of adversaries out in the world who keep looking for bad things," she says, "and we've got to fundamentally modernize our systems to build in security by design."

• cybersecurity
• office of personnel management

“Success Is Invisible, But Failure Is Public”: Examining The U.S. Office Of Personnel Management Data Records Breach

Access full-text files, journal title, journal issn, volume title.

In 2015, the U.S. Office of Personnel Management (OPM) suffered one of the largest governmentrelated data breaches in U.S. history. A total of 4.2 million personnel records, 21.5 million background check records, and 5.6 million sets of fingerprints were exfiltrated in a sophisticated, multi-stage cyber espionage operation linked to state-sponsored actors. Such a large data breach invited bipartisan criticism of the agency’s handling of the incidents and thrust the federal government’s cybersecurity preparedness into the limelight. This paper seeks to answer a set of five interrelated questions: 1) What happened in the 2015 U.S. Office of Personnel Management Data breach, and what were the impacts? 2) Did a lack of technical capability hinder OPM’s efforts to detect and block unauthorized access to its network? 3) Were organizational and management weaknesses more to blame? 4) Did the cybersecurity posture at OPM before the incidents change after the events in 2014 and 2015? 5) What can be done by the Office of Personnel Management to prevent or mitigate the damage from similar cyber activities in the future? To answer these questions, this paper first introduces the concept of the “cybersecurity toolkit” to better understand contemporary cyber issues. Second, the OPM case study is discussed, including a timeline of events and key actors. Third, this paper examines the technical, management, and compliance-related factors that contributed to the breaches, including a compilation and analysis of OPM Inspector General cybersecurity audit data from 2007 to 2017. Finally, this paper discusses the short- and long-term impacts of the OPM breach and offers recommendations to improve cybersecurity at OPM and within the federal government.

Description

Lcsh subject headings, collections.

Academia.edu no longer supports Internet Explorer.

To browse Academia.edu and the wider internet faster and more securely, please take a few seconds to  upgrade your browser .

Enter the email address you signed up with and we'll email you a reset link.

• We're Hiring!
• Help Center

A Case Study Analysis of the U.S. Office of Personnel Management Data Breech

2019, ResearchGate

User training and awareness is often touted as the strongest tool to resist cyberattacks, as users are often the primary attack vector used to gain access to environments (Thomas J. E., 2018). However, sometimes attackers have overwhelming knowledge and resources making them virtually unstoppable. The Office of Personnel Management (OPM) data breech was one of the most significant data breaches of 2015 (Fruhlinger, 2018). The OPM is responsible human resource management US Government (McGettigan, 2018). This breach affected some 20 million people (Brendan, 2016).

Related Papers

Computer and Information Science

Jason E Thomas

As the world continues to grow and embrace technology ransomware is a growing problem. When ransomware encrypts storage sytems, systems shutdown, productivity grinds to a halt, and serious long-term damage takes place. As this is a known problem many firms have developed functionality to address ransomware issues in key security technologies such as intrusion protection systems. Many firms, especially smaller ones, may not have access to these technologies or perhaps the integration of these technologies might not yet be possible due ot varying circumstances. Regardless, ransomware must still be addressed as cyber miscreants actually target weak and unprotected environment. Even without tools that automate and aggregrate security capability, systems administrators can use systems utilities, applications, and digital forensic techniques to detect ransomware and defend their environemnts. This paper explores the literature regarding ransomware attacks, discusses current issues on how ransomware might be addressed, and presents recommendations to detect and investigate ransomware infection.

One of the most difficult challenges in information security today is phishing. Phishing is a difficult problem to address because there are many permutations, messages, and value propositions that can be sent to targets. Spear phishing is also associated with social engineering, which can be difficult for even trained or savvy employees to detect. This makes the user the critical point of entry for miscreants seeking to perpetrate cyber crimes such as identity theft and ransomware propagation, which cause billions of dollars in losses each year. Researchers are exploring many avenues to address this problem, including educating users and making them aware of the repercussions of becoming victims of phishing. The purpose of this study was to interview security professionals to gain better insight on preventing users and employees from succumbing to phishing attack. Seven subject-matter experts were interviewed, revealing nine themes describing traits that identify users as vulnerable to attack or strongly resistive to attack, as well as training suggestions to empower users to resist spear phishing attacks. Suggestions are made for practitioners in the field and future research.

Gil Baram , Tal Pavel

The present paper reviews the main cyber events of 2016 from the perspective of governments. It outlines and analyzes key identifiable trends in cyber activities and policies worldwide such as the establishment of special national cyber strategies, enhancing research and development efforts, and strengthening international cyber collaborations and regulations. We focus mainly on major developments in the U.S, Russia, China, as well as other European and Asian powers. Our main findings show that while quantum computing and block chain technologies are developing rapidly and IoT and AI are picking up steam, governments are simultaneously improving their defensive and offensive capabilities and are trying to find new ways to deal with the emerging threats. Given the rapid pace of technological development, it remains to be seen whether these accelerated governmental efforts will succeed.

Smart Cities and Regional Development (SCRD) Journal

Oleksandr Tsaruk

The paper deals with phenomena arising from radical disruptions in numerous spheres of human activity that challenge the conventional understanding of security. Authors endeavour to contribute to understanding of these changes and the emerging paradigm. The notions of cyber security, information security in relation to the cyber-physical systems security, and information security in broader sense which describes safeguarding the information flows to cyberspace and media were considered. Authors explore modern manifestations of these threats, and then dive into the hybrid nature of the threats to cyber-and information security, describing cyber threats and cyber attacks as merged with existing 'conventional' techniques. The examination of hybrids threats-the cyber leverages to diplomacy, the practice of cyber retaliation, cyber sabotage and espionage, cyber weapons and the cyber arms race-was given.

Since the Korean War, stability in North and South Korean relations has been elusive. Over the past decade, hostilities have entered a digital phase as an increasingly tech-savvy North Korea has compromised public and commercial systems in South Korea with relative impunity. Perceiving North Korea as its greatest threat to cybersecurity, South Korea has focused virtually all of its cybersecurity efforts and resources towards defending against future cyber attacks from its northern neighbor. This paper examines the accuracy of South Korea’s threat assessment of North Korea and investigates the validity of South Korean cyber forensic techniques and intelligence. Furthermore, this research uses analyses of data from past cyber incursions in South Korea to determine the effectiveness of cybersecurity policies and attempts to determine if defensive and offensive strategies are appropriate, in both size and scope, for the danger that North Korea appears to represent. The author concludes that while South Korean assessments of North Korean cyber capabilities and involvement in cyber incursions are relatively accurate, there are ambiguities in the findings of cyber forensic analyses that may be incorrectly attributed to North Korea. As a result, current cyber strategies may be inadequate to defend against other possible state and non-state actors. In addition, this research finds that past cyber policies have weakened South Korean cybersecurity, and suggests that South Korea should shift towards broader more defensive strategies.

Levan Agniashvili

Proceedings of the Digital Privacy and Security Conference 2020

Hugo Barbosa , Carla Cordeiro

The Digital Privacy and Security Conference (DPSC) was first published in 2018 with the aim of disseminating the latest academic research on various subjects related to privacy and digital security. The objectives of our mission have been growing as well as the success of the editions of this conference. The conference proceedings aim to publish quality research for the benefit of the global academic community. We believe in the importance of education for society and the need to facilitate knowledge on a global scale. As the digital era matures, cyber security evolves and software vulnerabilities diminish, people however, as individuals, are more exposed today than ever before. In the context of digital privacy and security, attacker breach defences to access sensitive data and resources. The event will take place at the Lusofona University of Porto (ULP) the 15th January, 2020.

Book: Asian Defence Review 2018, Knowledge World Publishers, New Delhi

Dr. E. Dilipraj

Nikola Zlatanov

Computer security, also known as cybersecurity or IT security, is the protection of information systems from theft or damage to the hardware, the software, and to the information on them, as well as from disruption or misdirection of the services they provide.[1] It includes controlling physical access to the hardware, as well as protecting against harm that may come via network access, data and code injection,[2] and due to malpractice by operators, whether intentional, accidental, or due to them being tricked into deviating from secure procedures.[3] The field is of growing importance due to the increasing reliance on computer systems in most societies.[4] Computer systems now include a very wide variety of "smart" devices, including smartphones, televisions and tiny devices as part of the Internet of Things – and networks include not only the Internet and private data networks, but also Bluetooth, Wi-Fi and other wireless networks.

Self-Published

Michael Nycyk

Book three in the Cyber Library Reference Book series

RELATED PAPERS

Artur Victoria

Stanislav Secrieru

Ryan C Maness

Journal of Cybersecurity Education, Research and Practice

Susan Ramlo, PhD , John B Nicholas

TECHNICAL EXPLOITATION IN THE GRAY ZONE: EMPOWERING NATO SOF FOR STRATEGIC EFFECT

chace falgout

Roger Bradbury , Paul N Cornish

Abdalla Yousif

International Journal of Management and Sustainability

Darrell Norman Burrell , Dr. Delores Springs

COMPARING AND CONTRASTING HOW THE UNITED STATES AND CHINA ADDRESS CYBERSECURITY

Kazem Agamy

Digital Humanitarian Network

Andrej Verity , Emma Amaral

Lumuli Gwakisa

PhD Thesis @uO Research

Baha Abu-Shaqra

erik frinking , Nicolas Castellon , Jacques Mukena

sanatan kulshrestha

Susan Davies

INTERNATIONAL JOURNAL OF INNOVATIVE RESEARCH IN ENGINEERING & MULTIDISCIPLINARY PHYSICAL SCIENCES

Colonel Balwan Nagial (Retired)

Julia Urbina-Pineda

RELATED TOPICS

•   We're Hiring!
•   Help Center
• Find new research papers in:
• Health Sciences
• Earth Sciences
• Cognitive Science
• Mathematics
• Computer Science
• Academia ©2024

An official website of the United States Government

• Kreyòl ayisyen
• Search Toggle search Search Include Historical Content - Any - No Include Historical Content - Any - No Search
• Menu Toggle menu
• INFORMATION FOR…
• Individuals
• Business & Self Employed
• Charities and Nonprofits
• International Taxpayers
• Federal State and Local Governments
• Indian Tribal Governments
• Tax Exempt Bonds
• FILING FOR INDIVIDUALS
• How to File
• When to File
• Where to File
• Update Your Information
• Get Your Tax Record
• Apply for an Employer ID Number (EIN)
• Check Your Amended Return Status
• Get an Identity Protection PIN (IP PIN)
• File Your Taxes for Free
• Bank Account (Direct Pay)
• Payment Plan (Installment Agreement)
• Electronic Federal Tax Payment System (EFTPS)
• Your Online Account
• Tax Withholding Estimator
• Estimated Taxes
• Where's My Refund
• What to Expect
• Direct Deposit
• Reduced Refunds
• Amend Return

Credits & Deductions

• INFORMATION FOR...
• Businesses & Self-Employed
• Earned Income Credit (EITC)
• Child Tax Credit
• Clean Energy and Vehicle Credits
• Standard Deduction
• Retirement Plans

Forms & Instructions

• POPULAR FORMS & INSTRUCTIONS
• Form 1040 Instructions
• Form 4506-T
• POPULAR FOR TAX PROS
• Form 1040-X
• Circular 230

IRS communication on data disclosure

More in news.

• Topics in the News
• News Releases
• Multimedia Center
• Tax Relief in Disaster Situations
• Inflation Reduction Act
• Taxpayer First Act
• Tax Scams/Consumer Alerts
• The Tax Gap
• Fact Sheets
• IRS Tax Tips
• e-News Subscriptions
• IRS Guidance
• Media Contacts
• IRS Statements and Announcements

May 10, 2024

IRS statement to taxpayers receiving Letter 6613 alerting them to the unauthorized disclosure of tax return information by an IRS contractor. The contractor, Charles Edward Littlejohn, pled guilty to the unauthorized disclosure of return information in October 2023 and was sentenced to five years in prison earlier this year.

To begin with, it should be stressed that this incident was unacceptable. Any improper access or disclosure of confidential taxpayer information is unacceptable, and it is completely at odds with the IRS’s values and the agency’s commitment to taxpayers.

We recognize that this incident has created a difficult situation for many taxpayers, including individuals as well as business entities. We also recognize that it is incumbent on the IRS not only to protect confidential taxpayer information, but also to address matters to the fullest extent possible when any such information is unlawfully disclosed.

We write to you today to update you on our efforts in this regard, and to provide to you what information we can regarding this incident, within the confines of the law. We will update you periodically as additional information becomes available.

We note that responding to this incident presents a number of challenges for the IRS. First, because much of the relevant information was uncovered in a criminal investigation, there are legal limitations on what the IRS can disclose. The criminal investigation was conducted by the Treasury Inspector General for Tax Administration (TIGTA) and resulted in Mr. Littlejohn being charged by DOJ with unauthorized disclosure of tax information, pleading guilty, and being sentenced to a prison term. In deference to these criminal proceedings, it was only after Mr. Littlejohn was sentenced, in February 2024, that the IRS was able to access information regarding all affected taxpayers. The data set that the IRS received at that point is voluminous and complex, and the IRS has been working with TIGTA to process and analyze this data, including to more fully understand what information, pertaining to what taxpayers, was unlawfully disclosed by Mr. Littlejohn. We are doing this so that we can provide taxpayers with notice of the incident as Section 7431 of the Internal Revenue Code requires, and so that we can take whatever additional steps are warranted to address taxpayer inquiries, interests, and concerns. This has taken some time, which is why we may need to follow up with you through additional correspondence. But there is some factual information that we can provide to you at this stage, which may help you to better assess and manage any risks presented to you by this incident:

• First, you should note that this incident occurred several years ago. In particular, Mr. Littlejohn admitted that he collected taxpayer information between 2018 and 2020, which he subsequently unlawfully disclosed to two news organizations. Mr. Littlejohn has stated details regarding these disclosures in the court filings in his criminal case.
• If you are receiving this letter, it is our understanding that Mr. Littlejohn unlawfully disclosed information corresponding to your taxpayer identification number maintained on an IRS database. We do not know – at least not at this point – the full scope of the specific information that Mr. Littlejohn unlawfully disclosed. However, a broad set of taxpayer information is maintained in this database.
• We have seen no indication thus far that any of this information has been disclosed by Mr. Littlejohn to any persons outside of the two news organizations referenced above, or that these news organizations have disclosed this information to any additional persons (beyond the information that they publicly reported). As may be of particular concern to individual taxpayers, we have not seen any indication that this taxpayer information was used in any way for identity theft or any related type of fraud.
• We understand from TIGTA and DOJ that the government has recovered the taxpayer information that was in Mr. Littlejohn’s possession.

As noted above, the IRS is continuing to work with TIGTA to better understand this incident, analyze the relevant data, and take appropriate next steps. Among other things, we are continuing to contact any additional impacted taxpayers that we identify, including Form K-1 recipients that may have had their information disclosed. Of particular relevance for individual taxpayers, the IRS has in place screening and review procedures to identify and address potential identity theft and/or tax refund fraud. We also encourage taxpayers and/or their tax professional to review the resources regarding identity theft referenced in our prior letter, and to check IRS transcripts to ensure that taxpayer IRS account(s) do not reflect any unusual activity. [1]

Apart from the measures specific to this incident discussed above, it bears noting that the IRS has taken aggressive action more generally to enhance data security – to ensure, to the fullest extent feasible, that nothing like the Littlejohn incident can happen in the future. We recognize that this does not address the most immediate concerns of taxpayers whose information has already been unlawfully disclosed. Still, in the hope that this conveys to you our commitment to safeguard tax and financial information and to protect taxpayers’ rights, we note that we have developed a number of the protocols and protections that the IRS has put in place in recent years using Inflation Reduction Act (IRA) funding resources and industry and government best practices to better protect taxpayers.

These improvements include further restricting user access for the most sensitive taxpayer data sets; more robust protective security controls; more frequent data reviews; improved firewalls; stronger around the clock data monitoring; new security tools; less use of removable media; tighter email controls; new printer controls and improved retention of data access logs. More information is available here.

Please be assured that this matter in particular – and safeguarding taxpayer information in general – are among the highest priorities of the Internal Revenue Service.

[1] For information on how to request tax account records, please refer to Get Transcript .

•  Facebook
•  Twitter
•  Linkedin

Watch CBS News

Nissan data breach exposed Social Security numbers of thousands of employees

By Khristopher J. Brooks

Edited By Alain Sherter

Updated on: May 15, 2024 / 6:10 PM EDT / CBS News

Nissan suffered a data breach last November in a ransomware attack that exposed the Social Security numbers of thousands of former and current employees, the Japanese automaker said Wednesday. 

Nissan's U.S.-based subsidiary, Nissan North America, detailed the cyberattack in a May 15  letter  to affected individuals. In the letter, Nissan North America said a bad actor attacked a company virtual private network and demanded payment. Nissan did not indicate whether it paid the ransom. 

"[U]pon learning of the attack, Nissan promptly notified law enforcement and began taking immediate actions to investigate, contain and successfully terminate the threat," the car maker said in the letter, adding that "Nissan worked very closely with external cybersecurity professionals experienced in handling these types of complex security incidents."

Nissan told employees about the incident during a town hall meeting in December 2023, a month after the attack. The company also told staffers that it was launching an investigation and would notify employees privately if their personal information had been compromised. Nissan said it's providing free identity theft protection services to impacted individuals for two years. 

Nissan North America also notified state officials across the U.S. of the attack, noting that data belonging to more than 53,000 current and former workers was compromised. But the company said its investigation found that affected individuals did not have their financial information exposed. 

Nissan North America "has no indication that any information has been misused or was the attack's intended target," the automaker said in its letter.

Ransomware attacks, in which cybercriminals  disable a target's computer systems  or steal data and then demand payment to restore service, have become increasingly common. One cybersecurity expert said someone likely got a password or multi-factor authentication code from an existing Nissan employee, enabling the hacker to enter through the company's VPN. 

"It is unfortunate that the breach ended up involving personal information, however Nissan has done the right thing by continuing to investigate the incident and reporting the update," Erich Kron, a cybersecurity awareness advocate at KnowBe4, told CBS MoneyWatch in an emailed statement. "In this case, targeting the VPN will often help bad actors avoid detection and bypass many of the organizational security controls that are in place."

• Data Breach
• Cyberattack

Khristopher J. Brooks is a reporter for CBS MoneyWatch. He previously worked as a reporter for the Omaha World-Herald, Newsday and the Florida Times-Union. His reporting primarily focuses on the U.S. housing market, the business of sports and bankruptcy.

More from CBS News

Boeing whistleblower John Barnett died by suicide, police investigation concludes

Will gold's price hit $3,000 per ounce? Experts weigh in

Dog food sold by Walmart recalled as it may contain metal pieces

Elon Musk confirms Twitter's transformation is complete. It's now X.com.