Lessons from the OPM Data Breach

In 2015, the US government’s Office of Personnel Management (OPM) reported data breaches that affected millions of applicants and employees. It was the worst data breach in history in a human resources department. Most of the news coverage focused on the politics of the attack, which came from China. From the standpoint of HR departments, though, it’s more useful to look at what OPM did wrong, what happened as a result, and how other HR offices can learn from the experience.

What Happened

According to security expert Brian Krebs’ report, the first breach began in March 2014. Initially OPM thought no data on personnel had been stolen. In June 2015 it reported that 4 million federal employees had been affected. A second breach resulted in the theft of sensitive information on 21.5 million people, mostly ones who had applied for a background investigation.

The attackers were able to reach OPM’s records through its contractors USIS and Keypoint, which did work on background checks. The applicants were seeking security clearances, and by design the data included information that could make them vulnerable to blackmail. The stolen information included SF-86 forms as part of the clearance application process. The form includes questions about past work reprimands, courts martial, relatives, foreign contacts, and foreign financial interests.

The stolen information could have included records from interviews with family members and associates of the people applying for clearances. Even fingerprint data on applicants was included in the leak.

People who went through background investigations as far back as 2000 were “highly likely” to have been affected, and some people who were investigated earlier might have been.

The Effects

The suspicion of state actors deflected much of the publicity from OPM’s internal problems, but it still had to take serious steps to remedy the breach. It offered credit monitoring and identity theft restoration services to everyone directly affected, and in some cases to their children.
Following the breach, OPM seriously enhanced its HR cyber security measures. It added two-factor authentication, prohibited employees from accessing personal Gmail accounts from office machines, and added network monitoring. The cost of the remedial action to OPM — that is, to the taxpayers — was in the hundreds of millions of dollars.
OPM Director Katherine Archuleta resigned, although many of the root problems preceded her tenure and she had launched some security reforms. The American Federation of Government Employees filed a class-action suit, seeking monetary compensation for the breach. A federal court dismissed the suit, and the plaintiffs have appealed.

What Made it Possible

The weaknesses in OPM’s systems were the result of many years of inadequate security. Ars Technica blamed “inertia, a lack of internal expertise, and a decade of neglect.” The OPM Inspector General had noted a “material weakness” in the bureau’s security practices in 2007. Before 2013, none of its IT staff had security certifications. OPM didn’t have a complete inventory of its network devices and servers. Its process documentation was incomplete.

When DHS CERT investigated OPM’s systems in 2015, it discovered there was malware in them that was stealing data on an ongoing basis. The malware had expanded its reach since the original infiltration and was able to access many systems. Lack of encryption made things easier for the attackers. Best security practices require encrypting sensitive information such as Social Security numbers, but OPM wasn’t doing even that.

On an organizational level, OPM didn’t have centralized control of its IT systems. It was difficult, if not impossible, to assess all the risks and develop a plan to manage them. In brief, OPM was sitting in a position that left it very vulnerable to data theft. It just made it worse that the attacks came from a very sophisticated source.

What to Learn From the Breach

No other HR office in the United States is as big as OPM, and none handle as much sensitive data. Still, the lessons that come out of the OPM breach are applicable to every office that handles confidential data on applicants and employees.

The most obvious lesson is not to take employee security casually. There were plenty of warnings that OPM had problems. It didn’t act on them, perhaps because too much of its budget went to other priorities. It didn’t have the security specialists who might have called attention to problems. When the breaches occurred, they went unnoticed for a long time.

Another lesson is that third-party services are often the weakest point. In aiming for the lowest bid and quickest delivery, contractors may skimp on security considerations. They may just not know how to do security properly. If they aren’t held by a contract to an adequate security level, they have every incentive to neglect it. The department that hired them will bear the responsibility.

The breach was bigger than it first appeared to be; in fact, there were multiple breaches. This is a common pattern. First some indications of a problem show up, and gradually the full extent reveals itself. Claiming too early that a breach had no major effects can prove embarrassing later. Full disclosure is better in the long run.

OPM has an especially large number of computer systems, but even a moderately large HR office will have enough that keeping track of them is a challenge. It’s important to have a solid overview of all data systems in order to identify points of weakness. The ways they communicate with one another is as important as the separate systems. If the network isn’t well-configured, access to one system may mean easy access to all of them.

Applicant and employee information can contain sensitive data which needs special protection. Private employers don’t process top-secret clearances, but they look into criminal convictions, civil judgments, and credit records. Accidentally releasing this information can hurt not just the applicants but their family members and acquaintances. That’s exactly why some unscrupulous parties would like to obtain it.

What happened to OPM could happen, on a smaller scale, to any HR department that keeps electronic records on applicants and employees. It’s not wise to underestimate the consequences it could have. The doctrine of sovereign immunity may protect OPM from some of the legal consequences, but other employers could face liability under employee privacy laws.

The OPM breach should be a reminder to all HR departments of how serious a matter security is.