Case Studies and Examples
The OPM is the human resources department for the U.S. federal government. Among its many responsibilities, the OPM provides background check investigation services to other federal agencies.
In 2015, the OPM announced two separate information security incidents that compromised the PII of over 21.5 million people. The incidents were caused by hackers that infiltrated OPM systems. They also infiltrated the systems of contractors used by the OPM. They had access to data for more than 6 months. It appears that the two attacks were coordinated, and some government sources suspect that the attacks were coordinated by another country.
People impacted by the breach included anyone who underwent a federal background check investigation from 2000 to 2015. The pool of affected individuals included federal employees, federal contractors, and active duty service members and veterans. It also included immediate family members and references for anyone whose information was stolen. Some of the PII exposed in the incidents included:
- SSN
- Employment history
- Education history
- Medical history (including mental health history and information about drug or alcohol abuse)
- Criminal history
- Address and address history
- Foreign travel history
- Personal information of close family members (spouse, partner, parents, siblings)
The PII stolen also included almost 5.6 million records with fingerprint data. Because of the breaches and public outcry, the OPM director and CIO resigned.
A report from the U.S. House of Representatives Committee on Oversight and Government Reform noted that the breach happened because the OPM did not prioritize its information security activities. The report also noted that the OPM did not meet many FISMA requirements.65
The OPM maintains a web-based resource center for victims of the 2015 incidents. The resource center includes information on the incident, frequently asked questions, and guidance for how to sign up for identity theft coverage. The OPM is required to provide that coverage through 2026 for affected individuals. You can view the resource center at https://www.opm.gov/cybersecurity/.