Office of Personnel Management data breach (2015)

From International cyber law: interactive toolkit
Jump to navigation Jump to search
Date The exact date of the breach into Office of Personnel Management servers is unknown. Nevertheless, malware had been residing in the servers since at least 2012 and the earliest known malicious activity so far disclosed dates back to November 2013. The gravest part of the attack – an exfiltration of background investigation and personal data – was carried out between June 2014 and March 2015. The attack was not completely blocked until 30 June 2015.[1]
Suspected actor Unknown state-sponsored group working for the Chinese government.[2][3]
Target United States Office of Personnel Management
Target systems n/a
Method It is not entirely clear how attackers gained access to OPM's networks. In the first phase, an attacker (A1) used a domain registered in the OPM server and exfiltrated IT system architecture and manuals. OPM found out about A1’s malicious activity and began to monitor it. Later, another separate attack was carried out by an attacker (A2) associated with A1 who posed as a background investigations contractor - KeyPoint - and, using an OPM credential, remotely accessed OPM’s network and installed PlugX malware to create a backdoor. On 27 May 2014 the OPM shut down its compromised systems in an effort to avoid more severe breaches by A1. While the OPM successfully expelled A1, A2, thanks to the backdoor, preserved its presence on the OPM network and later moved through the OPM environment to the U.S. Department of Interior data center where OPM personnel records were stored. The data exfiltration continued undiscovered until April 2015, when an OPM contractor working on IT security detected suspicious activity on the OPM network.
Purpose Unclear. The attack was seen as an effort to gain valuable information about U.S. agencies and their employees as a part of an espionage campaign.[4] The personal data of the U.S. employees could be also used for financial gain. Actually, some employees affected by the hack have claimed that they have been subjected to fraudulent credit charges, tax filings and other instances of identity theft that could credibly trace back to the OPM breaches.[5]
Result Sensitive information of 21.5 million individuals - applicants for security clearances and their relatives - was stolen from the background investigation databases, including approximately 5.6 million fingerprints. Moreover, OPM discovered that personnel data such as the name, birth date, home address and Social Security Numbers of 4.2 million current and former Federal government employees had been stolen.[6]
Aftermath OPM Director Katherine Archuleta as well as OPM chief information officer Donna Seymour resigned.[7] Furthermore, two federal employee unions and several individuals sued OPM and KeyPoint for a violation of a constitutional right to informational privacy. The trial is still ongoing but so far the courts have found that this constitutional right had not been violated.[8]

Even though the Obama administration decided not to blame China for the massive breach in 2015,[9] there was a strong belief that China was responsible for the attack. Chinese officials denied all the accusations, calling them irresponsible and unscientific.[10] Later in 2017, President-elect Donald Trump said China was behind the massive breach.[11] The same statement came also from John Bolton, White House National Security Adviser.[12] Finally, it is worth noting that a Chinese national was arrested by FBI after being accused of conspiring with others to use Sakuta, a malware deployed in the OPM breach. [13]

Analysed in Scenario 02: Cyber espionage against government departments

Collected by: Adam Botek

  1. “Report from the Committee on Oversight and Government Reform on the OPM Breach” (September 7, 2016), Committee on Oversight and Government Reform, U.S. House of Representatives.
  2. Josh Fruhlinger, “The OPM hack explained: Bad security practices meet China's Captain America” (November 6, 2018), CSO.
  3. Ian Smith, “Bolton Confirms China was Behind OPM Data Breaches” (September 21, 2018),
  4. Tom Risen, Staff Writer, “China Suspected in Theft of Federal Employee Records” (June 5, 2015), US News.
  5. Eric Katz, “Federal Employees Suing OPM Score Win in Lawsuit Over Data Hacks” (June 24, 2019), Government Executive.
  6. “CYBERSECURITY INCIDENTS“, Office of Personnel Management.
  7. “Report from the Committee on Oversight and Government Reform on the OPM Breach” (September 7, 2016), Committee on Oversight and Government Reform, U.S. House of Representatives.
  8. Amelia Brust, David Thornton, “Appeals court rules OPM data breach left people vulnerable to harm” (June 27, 2019), Federal News Network.
  9. Ellen Nakashima, “U.S. decides against publicly blaming China for data hack” (July 21, 2015), The Washington Post.
  10. Dominic Rushe, “OPM hack: China blamed for massive breach of US government data” (June 5, 2015), The Guardian.
  11. Michael D. Shear, David E. Sanger, “Putin Led a Complex Cyberattack Scheme to Aid Trump, Report Finds” (January 6, 2017), The New York Times
  12. Ian Smith, “Bolton Confirms China was Behind OPM Data Breaches” (September 21, 2018),
  13. Joseph Menn, “Chinese national arrested in Los Angeles on U.S. hacking charge” (August 25, 2017), Reuters.