Full Text

In April of 2015, IT staffers within the United States Office of Personnel Management (OPM), the agency that manages the government's civilian workforce, discovered that some of its personnel files had been hacked. Among the sensitive data that was exfiltrated were millions of SF-86 forms, which contain extremely personal information gathered in background checks for people seeking government security clearances, along with records of millions of people's fingerprints. The OPM breach led to a Congressional investigation and the resignation of top OPM executives, and its full implications—for national security, and for the privacy of those whose records were stolen—are still not entirely clear.

OPM hack timeline

As the official Congressional report on the incident says, "The exact details of how and when the attackers gained entry ... are not exactly clear." Nevertheless, researchers have been able to construct a rough timeline of when the breaches began and what the attackers did.

The hack began in November of 2013, when the attackers first breached OPM networks. This attacker or group is dubbed X1 by the Congressional OPM data breach report. While X1 wasn't able to access any personnel records at that time, they did manage to exfiltrate manuals and IT system architecture information. The next month, in December of 2013, is when we definitively know that attackers were attempting to breach the systems of two contractors, USIS and KeyPoint, who conducted background checks on government employees and had access to OPM servers (though USIS may have actually been breached months earlier).

The official OPM hack report

After an exhaustive and sometimes confrontational investigation, the House Oversight & Government Reform Committee released a report on the OPM data breach to the public. It's an exhaustive 241 pages, and much of the material in this article derives from its conclusions.

In March of 2014, OPM officials realized they'd been hacked. However, they didn't publicize the breach at that time, and, having determined that the attackers were confined to a part of the network that didn't have any personnel data, OPM officials chose to allow the attackers to remain so they could monitor them and gain counterintelligence. OPM did plan for what they called the "big bang"—a system reset that would purge the attackers from the system—which they implemented...