opm data breach case study mitigating personnel cybersecurity risk

• Artificial Intelligence
• Generative AI
• Business Operations
• IT Leadership
• Application Security
• Business Continuity
• Cloud Security
• Critical Infrastructure
• Identity and Access Management
• Network Security
• Physical Security
• Risk Management
• Security Infrastructure
• Vulnerabilities
• Software Development
• Enterprise Buyer’s Guides
• United States
• United Kingdom
• Newsletters
• Foundry Careers
• Terms of Service
• Privacy Policy
• Cookie Policy
• Member Preferences
• About AdChoices
• E-commerce Links
• Your California Privacy Rights

Our Network

• Computerworld
• Network World

The OPM hack explained: Bad security practices meet China’s Captain America

How the opm hack happened, the technical details, and a timeline of the infiltration and response..

In April of 2015, IT staffers within the United States Office of Personnel Management (OPM), the agency that manages the government’s civilian workforce, discovered that some of its personnel files had been hacked. Among the sensitive data that was exfiltrated were millions of SF-86 forms, which contain extremely personal information gathered in background checks for people seeking government security clearances, along with records of millions of people’s fingerprints . The OPM breach led to a Congressional investigation and the resignation of top OPM executives, and its full implications—for national security, and for the privacy of those whose records were stolen—are still not entirely clear.

OPM hack timeline

As the official Congressional report on the incident says, “The exact details of how and when the attackers gained entry … are not exactly clear.” Nevertheless, researchers have been able to construct a rough timeline of when the breaches began and what the attackers did.

The hack began in November of 2013, when the attackers first breached OPM networks. This attacker or group is dubbed X1 by the Congressional OPM data breach report. While X1 wasn’t able to access any personnel records at that time, they did manage to exfiltrate manuals and IT system architecture information. The next month, in December of 2013, is when we definitively know that attackers were attempting to breach the systems of two contractors, USIS and KeyPoint, who conducted background checks on government employees and had access to OPM servers (though USIS may have actually been breached months earlier).

In March of 2014, OPM officials realized they’d been hacked. However, they didn’t publicize the breach at that time, and, having determined that the attackers were confined to a part of the network that didn’t have any personnel data, OPM officials chose to allow the attackers to remain so they could monitor them and gain counterintelligence. OPM did plan for what they called the “big bang”—a system reset that would purge the attackers from the system—which they implemented on May 27, 2014, when the attackers began to load keyoggers onto database administrators’ workstations.

Unfortunately, on May 7, 2014, an attacker or group dubbed X2 by the report had used credentials stolen from KeyPoint to establish another foothold in the OPM network and install malware there to create a backdoor. This breach went undetected and the “big bang” didn’t remove X2’s access or the backdoor. In July and August of 2014, these attackers exfiltrated the background investigation data from OPM’s systems.

They weren’t done, though: by October 2014, the attackers had moved through the OPM environment to breach a Department of Interior server where personnel records were stored, and in December 2014 another 4.2 million personnel records were exfiltrated. Fingerprint data was exfiltrated in late March of 2015; finally, on April 15, 2015 , security personnel noticed unusual activity within the OPM’s networks, which quickly led them to realize that attackers still had a foothold in their systems.

How did the OPM hack happen? The technical details

It’s not entirely clear how X1 gained access to OPM’s networks, but OPM had already been roundly criticized for poor security practices in the period leading up to the intrusion. It’s also not entirely clear that X1 and X2 were the same person or group, but seeing as X1 stole information about OPM’s network that would’ve been helpful to X2’s agenda, the assumption is that they were at least working in tandem.

What is clear is that OPM’s technical leadership, overly confident that they had defeated X1 with the “big bang,” did not use the intrusion as a “wake up call” and failed to take measures that would have helped them detect X2. They had also largely failed to institute a number of important and recommended security measures , the most the important of which in the event was two-factor authentication . Under a two-factor authentication scheme, users need a chip-enhanced ID card that correlates with their username and password in order to log into the system. Without it, an attacker who manages to steal a valid username and password—as X2 did, using a login pilfered from KeyPoint—has free access to the system. OPM finally implemented two-factor authentication in January 2015, after X2 had already wormed their way into the network.

At any rate, once X2 had access to OPM systems, they used an Active Directory privilege escalation technique to obtain root access. This was used to install a variant of the PlugX malware, a remote access tool that allowed the attackers to navigate around OPM’s systems and compress and exfiltrate data, on several of OPM servers—including, crucially, the “ jumpbox ,” the administrative server that was used to log into other servers. Sakula , another linked piece of remote control malware, was installed around the same time.

OPM breach response

As noted, X2’s infiltration was finally detected on April 15, 2015 , when a security engineer was investigating encrypted SSL traffic on OPM’s networks. The researcher determined a beacon-like ping was connecting a component on OPM’s infrastructure called mcutil.dll to a website called opm­security.org. At very casual first glance this may seem on the up-and-up; but mcutil.dll looks like part of a McAfee security software suite, something OPM didn’t use, and opm­security.org, despite its name, wasn’t registered by the agency. In fact, mcutil.dll was cloaking the PlugX malware, and opm-security.org was one of several sites acting as command-and-control servers for the attackers. (The attackers had a sense of humor: the domain name, and others like it, were registered to “Steve Rogers” and “Tony Stark,” aka Marvel’s Captain America and Iron Man.)

The scramble to diagnose the problem and defeat the attackers, which quickly involved the government’s US-CERT emergency team, demonstrated some of the weaknesses in the OPM’s processes that had helped make the incident possible in the first place. Confusingly, it involved two security software vendors with similar names: Cylance  and CyTech.

The tool security staffers had used to detect the communication with opm­security.org was called Cylance V. Back in 2014 , the security team had pushed for the agency to license Protect, a higher-end product from Cylance. This was rejected by OPM IT, although the reasons given to Congressional investigators by OPM staff weren’t consistent; some said it was because the product wasn’t FedRAMP certified , while others cited the difficulty IT had installing it on individual workstations. At any rate, the justification was chalked up to office politics in testimony before the Oversight Committee.

Once it became clear that a breach was in progress, OPM staff requested help from Cylance to use Cylance V to diagnose forensic images of OPM servers. Since this was a task more suited to Cylance Protect, they rolled out that tool in a free trial mode, and it “ lit up like a Christmas tree .” At this point, OPM began using Protect extensively in its diagnostic process, despite not committing to license it from Cylance; they eventually agreed to do so on June 30th, a day before the trial period was set to elapse. Cylance did not actually receive payment for months.

Meanwhile, on April 21st , representatives from CyTech arrived at OPM for a long-scheduled appointment to demonstrate their CyFIR forensics program. The breach was not public knowledge at this point, and OPM staff did not share any information about it with company founder Ben Cotton, who was there to lead the demo. CyFIR also detected the malware, and Cotton immediately agreed to help with the response. Realizing that the crisis was grave enough to demand immediate action, Cotton began providing software and services based on a handshake agreement. OPM racked up more than $800,000 in bills from CyTech —but no contract was executed and CyTech was not paid.

Who hacked OPM?

While no “smoking gun” was found linking the attack to a specific perpetrator, the overwhelming consensus is that OPM was hacked by state-sponsored attackers working for the Chinese government. Among the evidence is the fact that PlugX, the backdoor tool installed on OPM’s network, is associated with Chinese-language hacking groups that have attacked political activists in Hong Kong and Tibet; the use of superhero names is also associated with groups tied to China.

OPM data would be considered extremely valuable to foreign intelligence services because it includes very sensitive information gathered as part of the process of granting security clearances. The CIA cancelled assignments for some officers in China in the wake of the breach, since many were to work undercover as State Department officials and would’ve been identifiable from the data gathered.

In August of 2017, the FBI arrested Yu Pingan, a Chinese national, as he arrived in the US to attend a conference, charging him with “ conspiring with others wielding malicious software known as Sakula ,” although the OPM hack was not explicitly mentioned. In September 2018, National Security Advisor John Bolton, at an event where the White House unveiled a new cybersecurity strategy, explicitly tied the attack to Beijing . In February of 2020, the United States Department of Justice formally charged four members of the Chinese military with the 2017 attack on Equifax that netted personally identifying information on millions of people; in the announcement of the indictment, the Equifax attack was explicitly linked to the OPM breach as part of the same larger operation. This was an extremely rare move—the U.S. rarely files criminal charges against foreign intelligence officers in order to avoid retaliation against American operatives—that underscored how seriously the U.S. government took the attack.

OPM hack lawsuit

Soon after the hack hit the news, two public employee unions sued OPM and KeyPoint over the breach, alleging that “OPM violated our constitutional right to informational privacy by recklessly disregarding its Inspector General’s warnings over many years about its IT security deficiencies.” The suit was thrown out in 2017 ; a judge ruled that the Privacy Act, the law that the suit was based on, used the word “disclosed” in relationship to data and that didn’t apply in cases where data was stolen but not publicly revealed. The case is currently being heard by an appeals court .

OPM hack credit monitoring

One way the federal government has tried to mitigate potential damage to individuals whose identities were hacked is via free credit monitoring and ID protection. These services will be available until 2025, although a recent change in vendors meant that some victims had to take steps to reapply for coverage . Two D.C. area members of the House have attempted to extend this protection for life , so far without success.

What will the OPM data breach cost the United States? Well, in credit monitoring services alone, the government will pay at least $133 million ; the total figure might eventually reach $1 billion .

OPM hack: 2018 and beyond

One of the eerie things about the hack is the absence of recent news. The Justice Department has been mum about Yu Pingan since his arrest. There was a case of small-time identity theft in the summer of 2018 that the Department of Justice seemed to imply involved personal data that had been stolen in the breach , but they later admitted they had been in error . As Arun Vishwanath, a cybersecurity researcher at the State University of New York at Buffalo, told Wired magazine , “We haven’t seen a single indication of this data being used anywhere. Yeah, we know the data is gone, but where did it go? What’s the purpose of all of this? No one has the answer to any of that.”

Related content

The assumed breach conundrum, authentication failure blamed for change healthcare ransomware attack, russian state-sponsored hacker used gooseegg malware to steal windows credentials, top 10 physical security considerations for cisos, from our editors straight to your inbox.

Josh Fruhlinger is a writer and editor who lives in Los Angeles.

More from this author

Pci dss explained: requirements, fines, and steps to compliance, tabletop exercises explained: definition, examples, and objectives, the 6 best password managers for business, 11 old software bugs that took way too long to squash, most popular authors.

Show me more

Microsoft’s mea culpa moment: how it should face up to the csrb’s critical report.

More attacks target recently patched critical flaw in Palo Alto Networks firewalls

How application security can create velocity at enterprise scale

CSO Executive Sessions: Geopolitical tensions in the South China Sea - why the private sector should care

CSO Executive Sessions: 2024 International Women's Day special

CSO Executive Sessions: Former convicted hacker Hieu Minh Ngo on blindspots in data protection

LockBit feud with law enforcement feels like a TV drama

Sponsored Links

• Tomorrow’s cybersecurity success starts with next-level innovation today. Join the discussion now to sharpen your focus on risk and resilience.

The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation

House Oversight and Government Reform Chairman Jason Chaffetz (R-UT) released a staff report titled, The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation , chronicling the Committee’s year-long investigation into how highly personal, highly sensitive data of millions of Americans was compromised by a foreign adversary in 2015 . The report outlines findings and recommendations to help the federal government better acquire, deploy, maintain, and monitor its information technology.

As a result of one the Committee’s findings, Chairman Chaffetz sent a letter to the Government Accountability Office (GAO) requesting an opinion on whether the Office of Personnel Management (OPM) violated the Anti-Deficiency Act (ADA) when it accepted services from a company without payment.

Key findings, recommendations and an excerpt from the letter are below:

Key Findings:

• The OPM data breach was preventable.
• OPM leadership failed to heed repeated recommendations from its Inspector General, failed to sufficiently respond to growing threats of sophisticated cyber attacks, and failed to prioritize resources for cybersecurity.
• Data breaches in 2014 were likely connected and possibly coordinated to the 2015 data breach.
• OPM misled the public on the extent of the damage of the breach and made false statements to Congress

Key Recommendations:

• Reprioritize federal information security efforts toward zero trust.
• Ensure agency CIOs are empowered, accountable, and competent.
• Reduce use of social security numbers by federal agencies.
• Modernize existing legacy federal information technology assets.
• Improve federal recruitment, training, and retention of federal cybersecurity specialists

  Letter to GAO:

“In brief, we believe OPM violated the ADA when the agency retained and deployed CyTech’s software following a product demonstration, and never paid.”

A timeline of the breaches can be found here .

• Find a Lawyer
• Ask a Lawyer
• Research the Law
• Law Schools
• Laws & Regs
• Newsletters
• Justia Connect
• Pro Membership
• Basic Membership
• Justia Lawyer Directory
• Platinum Placements
• Gold Placements
• Justia Elevate
• Justia Amplify
• PPC Management
• Google Business Profile
• Social Media
• Justia Onward Blog

In re: U.S. Office of Personnel Management Data Security Breach Litigation, No. 17-5117 (D.C. Cir. 2019)

These consolidated appeals stemmed from the cyberattack of multiple OPM databases that resulted in the data breach of sensitive personal information from more than 21 million people. Plaintiffs alleged that OPM's cybersecurity practices were inadequate, enabling the hackers to gain access to the agency's database of employee information, in turn exposing plaintiffs to heightened risks of identity theft and other injuries. The district court dismissed the complaints based on lack of Article III standing and failure to state a claim. The DC Circuit held that both sets of plaintiffs have alleged facts sufficient to satisfy Article III standing requirements; the Arnold Plaintiffs have stated a claim for damages under the Privacy Act, and have unlocked OPM's waiver of sovereign immunity, by alleging OPM's knowing refusal to establish appropriate information security safeguards; KeyPoint was not entitled to derivative sovereign immunity because it has not shown that its alleged security faults were directed by the government, and it is alleged to have violated the Privacy Act standards incorporated into its contract with OPM; and, assuming a constitutional right to informational privacy, NTEU Plaintiffs have not alleged any violation of such a right. Accordingly, the court affirmed in part, reversed in part, and remanded for further proceedings.

The DC Circuit affirmed in part and reversed in part, in consolidated actions stemming from the cyberattack of multiple OPM databases that resulted in the data breach of sensitive personal information from more than 21 million people.

Disclaimer: Justia Annotations is a forum for attorneys to summarize, comment on, and analyze case law published on our site. Justia makes no guarantees or warranties that the annotations are accurate or reflect the current state of law, and no annotation is intended to be, nor should it be construed as, legal advice. Contacting Justia or any attorney through this site, via web form, email, or otherwise, does not create an attorney-client relationship.

Some case metadata and case summaries were written with the help of AI, which can produce inaccuracies. You should read the full case before relying on it for legal research purposes.

Get free summaries of new D.C. Circuit US Court of Appeals opinions delivered to your inbox!

• Bankruptcy Lawyers
• Business Lawyers
• Criminal Lawyers
• Employment Lawyers
• Estate Planning Lawyers
• Family Lawyers
• Personal Injury Lawyers
• Estate Planning
• Personal Injury
• Business Formation
• Business Operations
• Intellectual Property
• International Trade
• Real Estate
• Financial Aid
• Course Outlines
• Law Journals
• US Constitution
• Regulations
• Supreme Court
• Circuit Courts
• District Courts
• Dockets & Filings
• State Constitutions
• State Codes
• State Case Law
• Legal Blogs
• Business Forms
• Product Recalls
• Justia Connect Membership
• Justia Premium Placements
• Justia Elevate (SEO, Websites)
• Justia Amplify (PPC, GBP)
• Testimonials

• Skip to main content
• Keyboard shortcuts for audio player

All Tech Considered

Privacy & security, one year after opm data breach, what has the government learned.

Brian Naylor

Beth Cobert says cybersecurity has been boosted since she took over as acting director of the Office of Personnel Management last summer. Manuel Balce Ceneta/AP hide caption

Beth Cobert says cybersecurity has been boosted since she took over as acting director of the Office of Personnel Management last summer.

This week marks a year since the government first revealed that hackers had stolen personnel files of some 4 million current and former federal employees.

About a month later, that number grew to more than 20 million people, including contractors, family members and others who had undergone background checks for federal employment. Everything, from Social Security numbers to birth dates, even fingerprint records, was accessed through Office of Personnel Management networks.

"Massive Data Breach," the headlines called it.

So has anything changed in the succeeding 12 months?

Acting OPM Director Beth Cobert thinks so. "There's a whole series of things around technology, around people, and around process that are different today than a year ago," she says.

Cobert is herself one of the changes at OPM, named to replace Katherine Archuleta, who resigned under pressure from Congress last July.

Related NPR Stories

The Two-Way

Irs and cybercriminals step up spy vs. spy efforts. who's winning.

OPM Director Archuleta Resigns In Wake Of Data Breaches

National security, white house announces 'cybersecurity sprint' in response to opm hack.

Cobert says cybersecurity has been amped up at OPM under her watch. The agency now requires employees to use two-factor authentication to log into their computers, meaning a password and a secure card. Employees can no longer access their Gmail accounts from their office computers. OPM has also implemented new tools to detect malware. Colbert says the government can see all the devices connected to its networks as well as monitor the data moving into and out of the system.

"There's a whole series of multilayer defenses we've put into our systems," she says.

It's still unclear how exactly the data were stolen, but investigators believe that hackers may have gained access to the government system through a contractor's website. So the Departments of Defense and Homeland Security have been helping OPM design a new, more secure software system to allow the personnel agency to conduct its own government background checks rather than outsourcing them.

"[OPM] had older systems, that needed to be modernized," says Ann Barron-DiCamillo , who led the DHS cyber team that investigated the OPM breach. "They had neglected networks from the perspective of putting in the cybersecurity sensors and technologies that they need to find adversaries in the network."

If Cybersecurity Is An Arms Race, Then How Is The U.S. Doing?

Plus, OPM workers were using weak usernames and passwords, she says. "The majority of things that were hitting OPM at that time was going to be your typical phishing scams, you know, targets of opportunity," Barron-DiCamillo tells NPR's Audie Cornish. Barron-DiCamillo says much attention has been paid to brand-new vulnerabilities, but in many cases, on older civilian systems, hackers exploit older vulnerabilities that have existing fixes that aren't adopted fast enough — in many cases out of budget constraints.

"[The OPM hack] brought into the forefront that smaller-sized, medium-sized agencies that didn't consider themselves to be such a threat to cyberactivity from data thieves, that they also have this potential publicity associated with becoming a target and becoming a victim," Barron-DiCamillo says. "They have increased the spending associated with that or are asking Congress for increased budgets."

Rep. Will Hurd, chairman of the information technology panel of the House Oversight Committee, says OPM may be moving in the right direction now, but vulnerabilities remain across government agencies — whether it's the Department of Education, which he says has "tons of information on anyone who's going to school," or the Social Security Administration.

"They're not even adopting some of the best practices when it comes to good digital system hygiene," says Hurd, a former CIA agent whose personnel records were among those hacked.

It took OPM some six months to formally notify the millions who had their records breached. They're now eligible for three years of credit monitoring and identity theft protection services .

Hurd says he personally hasn't noticed any ill effects from the stolen records, but Ryan Lozar thinks he has.

The former federal court law clerk says he froze his bank accounts after someone spent thousands at Best Buy in his name and opened a PayPal account. The hack has caused him "endless explaining, explaining, explaining," dealing with his banks," Lozar says. "It's just kind of exhausting and frustrating."

Lozar is a plaintiff in a class-action suit filed against the government by the American Federation of Government Employees. Among other things, it seeks monetary damages as well as lifetime credit monitoring and identity theft protection for the affected people. A hearing is expected this fall.

Barron-DiCamillo says her information was also part of the breach. She encourages those affected to use the free credit monitoring and identity theft protection services — and make sure to monitor them.

"There's an interesting discussion I heard from OPM that they should even offer [lifetime identity theft protection] as part of federal benefits, because of the kinds of data that they mandate that we provide to them when we sign up for service in federal government," says Barron-DiCamillo, who's now chief technology officer at Strategic Cyber Ventures. "I thought that was a great idea; I think they should look toward providing this as a benefit, just like health care that they provide for federal employees."

Government officials have pointed to China as being behind the breach. Whoever it is, Cobert acknowledges that the U.S. government still has work to do.

"There's a whole set of adversaries out in the world who keep looking for bad things," she says, "and we've got to fundamentally modernize our systems to build in security by design."

• office of personnel management
• cybersecurity

In re U.S. Office of Personnel Management Data Security Breach Litigation

D.C. Circuit Holds that Heightened Risk of Future Injury Can Constitute an Injury in Fact for Article III Standing.

Comment on: 928 F.3d 42 (D.C. Cir. 2019)

• January 2020
• See full issue

In an overwhelmingly digital age, individuals are put at risk of serious injuries such as identity theft, fraud, and even personal embarrassment if their data is exposed to malicious third parties. 1 Victims of such data breaches have often turned to litigation to seek remedy against companies that allegedly failed to secure consumers’ private data. 2 Courts seeking to provide legal recourse to these plaintiffs have grappled with the difficulty of applying established legal doctrines, such as standing to bring suit, to novel fact patterns created by new technologies. 3 For example, the circuit courts have split over one such legal issue: whether plaintiffs who have yet to actually suffer theft or fraud as a result of a data breach have standing to sue at all. 4 Recently, in In re U.S. Office of Personnel Management Data Security Breach Litigation 5 ( In re OPM ), the D.C. Circuit weighed in on the debate by allowing the plaintiffs to proceed on the theory that they had suffered an injury of exposure to increased risk of future harm. 6 In re OPM is the most recent case in a pattern of lower courts struggling to reconcile Supreme Court guidance with a theory of future injury, and it emphasizes the need for novel legal theories better suited to data breach litigation.

The U.S. Office of Personnel Management (OPM) maintains a large volume of sensitive private information about federal government employees. 7 OPM employs a private firm, KeyPoint Government Solutions, Inc. (KeyPoint), to help with internal investigations, which necessitates granting KeyPoint access to the OPM database. 8 As early as 2007, OPM’s Inspector General had warned the agency about “major information security deficiencies” in its network, but OPM did not address these concerns. 9 Between November 2013 and November 2014, unidentified cyberattackers stole the sensitive data of over twenty-one million people from OPM’s network using stolen KeyPoint credentials. 10 The impacted individuals brought suit against both OPM and KeyPoint for negligence and violation of federal statutes, including the Privacy Act of 1974. 11 A few of these plaintiffs alleged that they had already experienced fraud and identity theft since the data breach. 12 The suits were transferred to the U.S. District Court for the District of Columbia for pretrial proceedings. 13

In the district court, OPM and KeyPoint moved to dismiss the complaints. 14 The court granted their motions on two grounds. First, the plaintiffs failed to meet two out of three of the requirements for standing to litigate 15 : an injury in fact and causation linked to the defendants’ misconduct. 16 Relying on Spokeo, Inc. v. Robins , 17 the district court rejected both of the plaintiffs’ theories of injury — the loss of data itself and the heightened risk of future injury. 18 In addition, even those plaintiffs who had suffered actual injury failed to allege a substantial causal connection between OPM’s negligence and any fraudulent activity. 19 Furthermore, the plaintiffs’ claims either were barred by sovereign immunity or failed to state a claim. 20

The D.C. Circuit affirmed in part and reversed in part. 21 The panel’s per curiam opinion found that the plaintiffs had alleged facts sufficient to meet the “low bar to establish . . . standing at the pleading stage.” 22 The D.C. Circuit first analyzed the plaintiffs’ theory of an injury in fact, which must be both “concrete and particularized[,] and actual or imminent.” 23 According to the plaintiffs, the data breach had injured them by exposing them to increased risk of future harms such as identity theft. 24 To determine whether this injury was more than “merely conjectural,” 25 and therefore actual or imminent, the court considered whether the plaintiffs had plausibly alleged that the OPM hackers had “both the intent and the ability to use [the plaintiffs’] data for ill.” 26 Here, the plaintiffs had alleged that some of them had “already experienced various types of identity theft,” all of which could have been accomplished with the stolen information. 27 The nature of these previous attacks indicated both that the hackers were “sophisticated and apparently quite patient” and that the plaintiffs still faced “a substantial risk of future identity theft” arising from the breach. 28 Thus, the plaintiffs had successfully alleged an injury in fact.

According to the court, the plaintiffs’ claims also satisfied the remaining standing requirements: causation and redressability. 29 The “relatively modest” 30 standard for proving causation at the pleading stage required only that the plaintiffs show the defendants’ behavior was “fairly traceable” to the injury. 31 The plaintiffs had met this burden by alleging that OPM’s and KeyPoint’s data security practices were substantial contributing factors to the breach and that the information stolen was sufficient to enable identity theft. 32 Finally, money damages for expenses spent on protective services provided a clear way to redress the plaintiffs if they were to obtain a favorable decision. 33

The court of appeals also held that sovereign immunity did not bar the court from taking jurisdiction. 34 By “plausibly alleg[ing]” the three elements of a Privacy Act claim, the plaintiffs had “unlock[ed]” the statute’s waiver of sovereign immunity over OPM. 35 KeyPoint, OPM’s private contractor, was also not immune because it could not acquire derivative sovereign immunity from an entity (OPM) that was itself not immune, and KeyPoint had failed to demonstrate that its problematic security practices were “authorized and directed by” a government agency. 36

The opinion concluded by dismissing the plaintiffs’ constitutional claims. 37 Although the court did not rule directly that a constitutional right to information privacy does not exist, it reasoned that, even assuming the existence of this right, only intentional disclosures — and not accidental breaches — would violate the right. 38 The court also rejected the plaintiffs’ due process claim by denying any affirmative duty for the government to safeguard data where the affected parties (employees) voluntarily disclosed personal information. 39

Judge Williams dissented from the majority’s finding on standing and concurred with the remaining rulings. 40 On standing, Judge Williams found the plaintiffs had not met the Twombly and Iqbal standard for pleadings, which requires plaintiffs to allege facts that could negate “obvious alternative explanation[s].” 41 Judge Williams emphasized the fact that “a government system” was hacked to steal information about “ government employees,” so the “obvious” alternate explanation for the hack — espionage — nullified any likelihood of future identity theft caused by the breach. 42 He also suggested that the allegations were made even less plausible by the passage of two years since the original attacks without widespread identity theft among the plaintiffs. 43 According to Judge Williams, only those plaintiffs who actually suffered theft prior to the litigation could have standing. 44

In In re OPM , the D.C. Circuit validated the plaintiffs’ legal theory that exposure to an increased risk of future harm constitutes the “injury” necessary to confer standing on data breach victims. But the court’s recognition of this injury stretched existing Supreme Court standing doctrine. Two important Supreme Court cases fleshed out the two injury-in-fact requirements that plaintiffs must meet to bring suit: Clapper v. Amnesty International USA 45 on imminence, and Spokeo on concreteness. The In re OPM opinion improperly applied this guidance when analyzing both requirements, however, revealing the incompatibility of the Court’s injury-in-fact precedent with a “future injury” theory in the data breach context. This analytical difficulty has stymied other lower courts as well, and the ensuing incoherence of standing doctrine in the data breach context illustrates the need for novel, more fitting legal theories.

By relying on speculation about the hackers’ future actions to find imminent injury, the D.C. Circuit did not faithfully apply Clapper ’s imminence test. In Clapper , the Supreme Court held that a “substantial risk” of injury could render it imminent, 46 but severely cabined this theory by disfavoring speculation about a “chain of possibilities” that rested on “the decisions of independent actors.” 47 The Clapper plaintiffs had claimed that a statute authorizing government surveillance of certain foreigners created a risk of future injury, namely that the government might overhear the plaintiffs’ sensitive communications with those foreigners. 48 The Clapper Court dismissed this claim, refusing to assess the likelihood that the government would make particular choices — the choice to surveil a specific individual, for example — in future, hypothetical surveillance decisions. 49 In In re OPM , however, the court did speculate about the decisionmaking of independent, third-party actors — the cyberattackers. 50 More specifically, to evaluate imminence, the majority made multiple inferences about what was likely to be true about the hackers: they did not conduct the attack for espionage purposes, and they had both the ability and intent to use the stolen data for future identity theft and fraud. 51 This chain of speculative inferences about independent actors resembled the Clapper dissent’s musings on the history of government surveillance 52 far more closely than it did the Clapper majority’s desire to reduce judicial guessing. 53 The D.C. Circuit’s imminence analysis thus did not comply with the Supreme Court’s holding in Clapper .

The D.C. Circuit also did not adequately evaluate whether the plaintiffs’ theory of injury — risk of future injury — was concrete under the Supreme Court’s Spokeo analysis. Instead, the court relied on its own precedent that identity theft itself is a concrete injury. In Spokeo , the Supreme Court acknowledged that “risk of real harm” could satisfy the concreteness requirement if the alleged injury (1) paralleled injuries rooted in the common law, or (2) violated a right expressly protected by statute. 54 In explicitly delineating how risk of harm might satisfy its test, 55 Spokeo implied that the concreteness of the risk should be analyzed when risk stands in for the actual injury. Although this analysis extends to all cases that involve injury in fact, the In re OPM opinion referenced Spokeo in just one paragraph, and only cursorily to quote blanket statements about the three basic elements of Article III standing. 56 The resolution of the concreteness requirement consisted of a conclusory citation to the D.C. Circuit’s previous ruling in Attias v. CareFirst, Inc ., 57 where it established that “identity theft . . . constitute[s] a concrete . . . injury,” 58 but the court did not engage further with Spokeo ’s concreteness requirement. This analytical move elided the actual question that Spokeo suggested should be answered here: whether the plaintiff’s theory of injury — substituting risk of future injury for actual injury (identity theft) — was sufficiently concrete. The court thus sidestepped the more contentious question of whether the risk of future injury alleged by these plaintiffs was sufficiently concrete.

These inconsistencies between the reasoning of the D.C. Circuit and that of the Supreme Court demonstrate the difficulty of wrestling the square peg of risk of future injury into the round hole of injury-in-fact analysis. As previously acknowledged, both Clapper and Spokeo did suggest that “substantial risk” could theoretically meet the requirements for injury in fact. However, the imminence and concreteness tests actually articulated by the Supreme Court have created a tricky conundrum for lower courts. Analyzing a theory of future injury forces courts to speculate about the future: after all, any activity, no matter how innocuous, will always create some risk of future injury, so courts must have some way to evaluate how imminent a risk actually is. This challenge is especially acute in the context of a data breach where no plaintiffs have yet suffered actual injury, as the motives and future actions of independent actors are always difficult to know with certainty. Clapper thus seems to actually prohibit a “substantial risk” from constituting an injury in fact in data breach cases, because assessing the gravity of the risk necessarily involves conjecture about the actions of third-party hackers. Similarly, to engage properly with Spokeo , lower courts would have to answer an oddly abstract question: What does it mean for risk of future injury to be “concrete”? Although both the common law 59 and statutes 60 have protected against the loss of privacy itself, it is less clear that either has expressly classified the exposure of individuals to the possibility of identity theft as a concrete injury. Supreme Court precedent thus placed the In re OPM court in the unenviable position of attempting to vindicate plaintiffs’ claims by reference to a restrictive injury-in-fact doctrine.

This doctrinal difficulty has helped fuel the circuit split 61 — and general lack of coherence among federal courts — over what data breach plaintiffs are required to prove to have standing to bring suit. The D.C. Circuit’s In re OPM opinion thus continued the pattern of lower court confusion over how Clapper and Spokeo apply to data breaches. In the absence of clear guidance on how much speculation is really allowed in the imminence analysis, lower courts have interpreted Clapper with varying degrees of strictness. 62 Some, like the D.C. Circuit in In re OPM , have used inferences about the intentions and abilities of the hackers as proxies for imminence, 63 whereas others have rejected the future injury theory entirely because “future injuries stem from conjectural conduct of a third party . . . and are therefore inadequate to confer standing.” 64 Similarly, many lower courts have struggled with Spokeo . Like the D.C. Circuit, most have essentially ignored the Spokeo test in data breach litigation, instead focusing only on imminence and engaging in a cursory concreteness analysis. 65 The In re OPM opinion — while ultimately plaintiff-friendly — did not help clarify how lower courts should evaluate whether data breach plaintiffs have standing in the future.

The inconsistency of the D.C. Circuit’s In re OPM analysis with Supreme Court guidance reflects the difficulty of adapting older legal standards to the newer data breach context, especially where plaintiffs allege injury in the form of risk of future harm, a theory that inherently clashes with Supreme Court guidance on standing. Scholars have proposed at least one other theory for injury that might better meet the Court’s standards and thereby alleviate the difficulties faced by lower courts: framing the loss of privacy itself at the moment of the data breach as an injury. 66 Although this theory may not be the best or only one that could remedy the analytical deficiencies displayed in In re OPM , it is increasingly important to think more critically about the theories courts adopt to evaluate individuals’ rights and data collectors’ obligations in data privacy.

^ See, e.g. , Stacy Cowley, Equifax to Pay at Least $650 Million in Largest-Ever Data Breach Settlement , N.Y. Times (July 22, 2019), https://nyti.ms/2YgXFqJ [ https://perma.cc/2GP4-BEC7 ] (describing historic monetary settlement following loss of millions of individuals’ sensitive personal information by Equifax, a large credit bureau); Robert Hackett, What to Know About the Ashley Madison Hack , Fortune (Aug. 26, 2015), https://fortune.com/2015/08/26/ashley-madison-hack [ https://perma.cc/8MUK-DGQG ] (noting that data breach revealed embarrassing personal information about customers seeking extramarital affairs).

^ See Megan Dowty, Note, Life Is Short. Go to Court: Establishing Article III Standing in Data Breach Cases , 90 S. Cal. L. Rev. 683, 686 (2017). There are multiple avenues for the law to effect change in this arena, including regulatory enforcement and breach notification requirements, but these methods can prove unreliable and inadequate to empower affected individuals. See Daniel J. Solove & Danielle Keats Citron, Risk and Anxiety: A Theory of Data-Breach Harms , 96 Tex. L. Rev. 737, 781 (2018).

^ See Dowty, supra note 2, at 686–87.

^ See Ethan Kisch & Alejandro H. Cruz, D.C. Circuit Breathes New Life into OPM Data Breach Litigation , Patterson Belknap: Data Security Law Blog (July 15, 2019), https://www.pbwt.com/data-security-law-blog/d-c-circuit-breathes-new-life-into-opm-data-breach-litigation [ https://perma.cc/D3X9-6NWT ].

^ 928 F.3d 42 (D.C. Cir. 2019).

^ See id. at 49, 67, 75; see also Kisch & Cruz, supra note 4.

^ In re OPM , 928 F.3d at 49–50. This information is collected for electronic personnel files, as well as “background checks and security clearance investigations.” Id. at 50.

^ Id. at 50.

^ Id. at 51.

^ See id. at 49–50.

^ 5 U.S.C. § 552a (2018) (mandating that, absent certain exceptions not applicable here, “[n]o agency shall disclose any record which is contained in a system of records by any means of communication . . . except . . . with the prior written consent of[] the individual to whom the record pertains,” id. at § 552a(b)).

^ See In re U.S. Office of Pers. Mgmt. Data Sec. Breach Litig. ( OPM District Court ), 266 F. Supp. 3d 1, 8, 14 (D.D.C. 2017).

^ Id. at 14.

^ See In re OPM , 928 F.3d at 53.

^ See OPM District Court , 266 F. Supp. 3d at 18–19, 38 & n.26. Article III standing is a prerequisite for justiciability in federal court. See Patrick J. Lorio, Access Denied: Data Breach Litigation, Article III Standing, and a Proposed Statutory Solution , 51 Colum. J.L. & Soc. Probs. 79, 82–83 (2017). Most data breach actions, particularly the large class actions, occur in federal court due to the broad jurisdiction granted to federal courts by the Class Action Fairness Act of 2005, Pub. L. No. 109-2, 119 Stat. 4 (2005) (codified in scattered sections of 28 U.S.C.). See Lorio, supra , at 82 n.16.

^ See In re OPM , 928 F.3d at 54, 61. The court did not address the third standing requirement, redressability by a favorable court decision. Id.

^ 136 S. Ct. 1540 (2016).

^ See OPM District Court , 266 F. Supp. 3d at 20–26, 29.

^ See id. at 36–38.

^ See id. at 38–39. OPM’s sovereign immunity was not waived by the Privacy Act because the plaintiffs failed to plausibly allege “actual damages” under the statute. Id. at 40. The court also ruled the plaintiffs had failed to prove the existence of a constitutional right to informational privacy. Id. at 47.

^ Judges Patel and Millett and Senior Judge Williams comprised the panel. The decision was issued per curiam, although Senior Judge Williams wrote a separate opinion concurring in part and dissenting in part.

^ In re OPM , 928 F.3d at 61 (quoting Attias v. CareFirst, Inc., 865 F.3d 620, 622 (D.C. Cir. 2017)).

^ Id. at 54 (quoting Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1547 (2016)).

^ See id. at 58–59.

^ Id. at 58.

^ Id. at 56 (quoting Attias , 865 F.3d at 628).

^ Id. at 59.

^ See id. at 61.

^ Id. (quoting Bennett v. Spear, 520 U.S. 154, 171 (1997)).

^ Id. at 60.

^ See id. at 61–62.

^ Id. OPM had allegedly willfully violated the Privacy Act by ignoring repeated warnings about its security systems, id. at 62–64; the plaintiffs had collectively alleged actual damages, including the cost of credit protection, id. at 65–66; and proximate causation was satisfied by the identity theft that some of the plaintiffs had already experienced, id. at 67.

^ Id. at 69 (quoting Campbell-Ewald Co. v. Gomez, 136 S. Ct. 663, 673 (2016)); see id. at 69–71.

^ Id. at 74–75. The court did note, however, that the plaintiffs who claimed a constitutional injury would have had standing if a constitutional right did exist. See id. at 55.

^ See id. at 74. More specifically, the court was extremely hesitant to establish such a constitutional right due to the government’s role in this case as an “employer” rather than a “sovereign” and the existence of a pre-existing legislative means of regulating information privacy (the Privacy Act). Id. at 73.

^ See id. at 75.

^ Id. at 75–76, 81 (Williams, J., concurring in part and dissenting in part). Judge Williams also wrote on two topics the majority did not address: a potential federal-state preemption issue in the question of KeyPoint’s immunity, see id. at 80–81, and the district court’s willingness to allow five plaintiffs to proceed anonymously, see id. at 81–84.

^ Id. at 76 (quoting Ashcroft v. Iqbal, 556 U.S. 662, 682 (2009)).

^ Id. at 77.

^ See id. at 79.

^ 568 U.S. 398 (2013).

^ Id. at 414 n.5 (quoting Monsanto Co. v. Geertson Seed Farms, 561 U.S. 139, 153 (2010)); see id. (“Our cases do not uniformly require plaintiffs to demonstrate that it is literally certain that the harms they identify will come about.”).

^ Id. at 414.

^ See id. at 401.

^ See id. at 411–14.

^ See In re OPM , 928 F.3d at 57–58.

^ See id. Indeed, the primary point of contention between the majority and Judge Williams on the issue of standing was about whether the hackers intended to conduct espionage or financial thievery. Compare id. at 57, with id. at 77–78 (Williams, J., concurring in part and dissenting in part).

^ See Clapper , 568 U.S. at 427–31 (Breyer, J., dissenting) (claiming that the Court “need only assume that the Government is doing its job . . . in order to conclude,” id. at 431, that “the Government will intercept at least some of the plaintiffs’ communications,” id. at 430).

^ See id. at 414 (majority opinion).

^ Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1549 (2016) (noting that “it is instructive to consider whether an alleged tangible harm has a close relationship to a harm that has traditionally been regarded as providing a basis for a lawsuit in English or American courts” and that “Congress is well positioned to identify intangible harms that meet minimum Article III requirements”).

^ See id. (“This does not mean, however, that the risk of real harm cannot satisfy the requirement of concreteness.”).

^ See In re OPM , 928 F.3d at 54 (citing Spokeo for the proposition that Article III standing has three elements, including an injury in fact and causation). This passing reference is especially notable because the district court extensively analyzed Spokeo , but the court of appeals did not respond directly to this reasoning in overruling the district court. See OPM District Court , 266 F. Supp. 3d 1, 21–26 (D.D.C. 2017).

^ 865 F.3d 620 (D.C. Cir. 2017).

^ In re OPM , 928 F.3d at 55 (first and second alterations in original) (quoting Attias , 865 F.3d at 627).

^ Scholars, including the reporters of the Restatement of Torts, have argued that the history of privacy torts evinces an independent right to privacy rooted in common law. See, e.g. , Jordan Elias, Course Correction — Data Breach as Invasion of Privacy , 69 Baylor L. Rev. 574, 587–89 (2017).

^ Congress has recognized the right to privacy of data given to government agencies by forbidding, through the Privacy Act, agency disclosure of this information without consent. See 5 U.S.C. § 552a (2012).

^ The Sixth, Seventh, and Ninth Circuits favor a future-harm theory of injury, whereas the First, Third, and Fourth Circuits have been more hesitant to allow plaintiffs to proceed on this theory. See Beck v. McDonald, 848 F.3d 262, 273 (4th Cir. 2017) (collecting cases).

^ See Kassi Burns, Data Breach Lawsuit Highlights: Standing & the Fading Impact of Clapper, Driven (Sept. 1, 2015), http://www.driven-inc.com/data-breach-lawsuit-highlights-standing-the-fading-impact-of-clapper [ https://perma.cc/D2FK-U3FE ].

^ See, e.g. , Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 693 (7th Cir. 2015) (“Why else would hackers break into a store’s database and steal consumers’ private information?”).

^ In re Horizon Healthcare Servs. Inc. Data Breach Litig., No. 13-7418, 2015 WL 1472483, at *6 (D.N.J. Mar. 31, 2015); see also In re Sci. Applications Int’l Corp. (SAIC) Backup Tape Data Theft Litig., 45 F. Supp. 3d 14, 25 (D.D.C. 2014) (refusing to find imminence where “speculative” chain of future events would have to happen before plaintiffs experienced harm).

^ See Lorio, supra note 15, at 91–103 (finding few meaningful concreteness inquiries, as required by Spokeo , in the circuit courts).

^ See, e.g. , Elias, supra note 59, at 581–86 (framing immediate harms caused to data breach victims at moment of breach as an injury in fact). This theory has proved viable in lower courts already. In Rowe v. Unicare Life & Health Insurance Co ., No. 09 C 2286, 2010 WL 86391 (N.D. Ill. Jan. 5, 2010), for example, a federal district court found that invasion of privacy due to the data breach itself could be considered an injury and confer standing to sue. Id. at *9. The In re OPM plaintiffs did raise this legal theory in the district court, but the lower court disclaimed any ability to reach beyond Supreme Court and D.C. Circuit precedent to adopt this novel theory, and the issue was not brought up on appeal. See OPM District Court , 266 F. Supp. 3d 1, 19–20 (D.D.C. 2017).

• Internet & Communications Law

January 10, 2020

More from this Issue

Kashef v. bnp paribas s.a..

Second Circuit Holds that Acts of Genocide by Sudanese Government Are Not Afforded Act of State Doctrine Deference.

Citizens for Responsibility & Ethics in Washington v. U.S. Department of Justice

D.C. Circuit Holds That OLC Is Not Required to Publish its Formal Opinions.

Elster v. City of Seattle

Washington State Supreme Court Holds "Democracy Voucher" Program Constitutional.

Impact of OPM breach could last more than 40 years

By Dan Verton

July 10, 2015

The theft of background investigation data on millions of federal employees and contractors has created a massive threat to U.S. national security that will last for decades and cost billions of dollars to monitor, current and former intelligence officials said.

The Office of Personnel Management announced last week that personal data on 21.5 million individuals was compromised by the hack of the agency’s background investigation database. That includes 19.7 million individuals that applied for a security clearance, and 1.8 million non-applicants, predominantly spouses or co-habitants of applicants.

But while the focus continues to be on OPM’s efforts to fix vulnerabilities in the system used to manage background investigation data, known as Electronic Questionnaires for Investigations Processing (e-QIP), as well as the 30 day cybersecurity sprint ordered by the Office of Management and Budget, intelligence experts say there is little the agency can do to reverse the damage that has already been done.

“I don’t think there is recovery from what was lost,” said former CIA Director Michael Hayden, in a telephone interview with FedScoop. “It remains a treasure trove of information that is available to the Chinese until the people represented by the information age off. There’s no fixing it.”

According to Hayden and other former CIA officers, the data breach has created a massive counterintelligence threat that could easily last 40 years — until the youngest members of the federal workforce enter retirement.

“This isn’t about blackmail or bribery. This is knowledge about potential human intelligence targets,” Hayden said.

A former CIA officer, who spoke to FedScoop on background, agreed that the counterintelligence damage stemming from the data breach will last well beyond OPM’s cybersecurity remediation efforts. “You have provided the Chinese with the pool of contractors and employees who have access to classified information. This represents a target pool of possible recruitments with a list of their vulnerabilities,” the officer said. “Over time, the pool will be added to and people will leave thus making the information less valuable. In short, time will take care of some of the problems. But, what a mess.”

House Armed Services Committee Chairman Rep. Mac Thornberry, R-Texas, called the breach “a critical force protection and counterintelligence issue” for the Defense Department. “I am far from convinced that steps taken so far by OPM to mitigate the impact to civilian employees and their families are sufficient, nor am I confident the steps taken to protect information, employees, and their families in the future are adequate,” Thornberry said in a written statement.

Federal employees and contractors are required to fill out a detailed background questionnaire, known as Standard Form 86, when applying for a government security clearance.

What’s in the data?

The background investigation process for granting a federal employee a security clearance begins with a detailed questionnaire known as a Standard Form 86. The 121-page document includes detailed biographical information, residence and employment history, lists of family members, foreign travel and business activities, and detailed summaries of psychological and emotional health counseling the employee may have received.

The form also covers any interactions with police, use of illegal drugs and alcohol, detailed information on financial problems, and information on any unauthorized use of information technology systems. The form requires candidates to provide information for the past seven years. However, top secret security clearance investigations go back 15 years.

Monetary costs

The size, scope and sensitivity of the OPM data breach also have major financial implications.

Richard A. Russell is a former senior national intelligence service executive who served in progressively responsible national security positions for more than 36 years before retiring in January 2015. According to Russell , the U.S. government has vastly underestimated the financial cost of providing identity theft monitoring.

At least four to five people will require monitoring for every non-married federal employee in the background investigation database, according to Russell. For those who have been married, or married more than once, the number of affected people is more like 12 to 14, he said.

“With those factors alone, the total number of people whose information is likely to be rolled up in the breaches would be in excess of 50 million,” Russell said. “Just doing the math suggests it could be higher: 19.7 million times four to 14 yields between 78.8 million and 275.8 million whose information is now in untrusted hands,” he said.

“This is about more than getting the numbers right. It’s about taking a true measure of what has happened and what must be done,” Russell said. “For some, the proposed protection would run out before their child enters the first grade in school. If a child is currently 20 years old, their risk will last between 50 and 70 years or longer.”

More Like This

Cybersecurity executive order requirements are nearly complete, gao says, federal cio calls on congress to fund technology modernization fund, how google cloud ai and assured workloads can enhance public sector security, compliance and service delivery at scale, top stories, scientists must be empowered — not replaced — by ai, report to white house argues, white house hopeful ‘more maturity’ of data collection will improve ai inventories, 404 page: the error sites of federal agencies, generative ai could raise questions for federal records laws, oracle approved to handle government secret-level data, gsa administrator: generative ai tools will be ‘a giant help’ for government services, state department encouraging workers to use chatgpt, more scoops.

IG slams OPM cybersecurity for continued deficiencies years after breaches

Exit Interview: CIO Dave DeVries leaves post-breach OPM on solid footing

Audit: OPM still faces information security weaknesses 2 years after breaches

Opm overpaying for identity theft protections after breach, watchdog says, opm hearing devolves into shouting match about cybersecurity, how beth cobert resurrected opm it after historic cyber breaches, gov actually episode 4: opm’s beth cobert and ‘the call’, latest podcasts.

Leveraging modern access management to achieve zero trust

The role of the federal chief AI officer

Los Angeles CIO discusses how AI and cloud technologies transform urban public services

• ICE pursuing privacy approvals related to controversial phone location data
• House Modernization panel advances bill to improve CRS’s data access in first-ever markup
• Login.gov pilot to include option for biometric verification
• Cost estimates for IRS’s Direct File program were incomplete, GAO says
• MPEs gain momentum for sharing information with allied partners
• State Department officials say they’re trying to set the tone globally on AI usage, as lawmakers question if it’s enough
• How 5G and mobile computing-at-the-edge are revolutionizing DOD’s future
• The power of the cloud to aid service members in their transition to civilian life
• DOJ ‘not aware of any’ identity theft, fraud following consultant’s data breach
• CISA emergency directive tells agencies to fix credentials after Microsoft breach
• New TMF investments support NASA, DOL modernization and cybersecurity efforts
• State Department is launching an internal chatbot

Acquisition

• Salesforce launches ‘Einstein 1’ generative AI tool for government
• Congress presses VA on modernization overhaul, supply chain system upgrade
• Some federal agencies want to make IT security contracting rules simpler to find
• New FedRAMP roadmap details imminent plans for modernization

Academia.edu no longer supports Internet Explorer.

To browse Academia.edu and the wider internet faster and more securely, please take a few seconds to  upgrade your browser .

Enter the email address you signed up with and we'll email you a reset link.

• We're Hiring!
• Help Center

A Case Study Analysis of the U.S. Office of Personnel Management Data Breech

2019, ResearchGate

User training and awareness is often touted as the strongest tool to resist cyberattacks, as users are often the primary attack vector used to gain access to environments (Thomas J. E., 2018). However, sometimes attackers have overwhelming knowledge and resources making them virtually unstoppable. The Office of Personnel Management (OPM) data breech was one of the most significant data breaches of 2015 (Fruhlinger, 2018). The OPM is responsible human resource management US Government (McGettigan, 2018). This breach affected some 20 million people (Brendan, 2016).

Related Papers

Computer and Information Science

Jason E Thomas

As the world continues to grow and embrace technology ransomware is a growing problem. When ransomware encrypts storage sytems, systems shutdown, productivity grinds to a halt, and serious long-term damage takes place. As this is a known problem many firms have developed functionality to address ransomware issues in key security technologies such as intrusion protection systems. Many firms, especially smaller ones, may not have access to these technologies or perhaps the integration of these technologies might not yet be possible due ot varying circumstances. Regardless, ransomware must still be addressed as cyber miscreants actually target weak and unprotected environment. Even without tools that automate and aggregrate security capability, systems administrators can use systems utilities, applications, and digital forensic techniques to detect ransomware and defend their environemnts. This paper explores the literature regarding ransomware attacks, discusses current issues on how ransomware might be addressed, and presents recommendations to detect and investigate ransomware infection.

One of the most difficult challenges in information security today is phishing. Phishing is a difficult problem to address because there are many permutations, messages, and value propositions that can be sent to targets. Spear phishing is also associated with social engineering, which can be difficult for even trained or savvy employees to detect. This makes the user the critical point of entry for miscreants seeking to perpetrate cyber crimes such as identity theft and ransomware propagation, which cause billions of dollars in losses each year. Researchers are exploring many avenues to address this problem, including educating users and making them aware of the repercussions of becoming victims of phishing. The purpose of this study was to interview security professionals to gain better insight on preventing users and employees from succumbing to phishing attack. Seven subject-matter experts were interviewed, revealing nine themes describing traits that identify users as vulnerable to attack or strongly resistive to attack, as well as training suggestions to empower users to resist spear phishing attacks. Suggestions are made for practitioners in the field and future research.

Gil Baram , Tal Pavel

The present paper reviews the main cyber events of 2016 from the perspective of governments. It outlines and analyzes key identifiable trends in cyber activities and policies worldwide such as the establishment of special national cyber strategies, enhancing research and development efforts, and strengthening international cyber collaborations and regulations. We focus mainly on major developments in the U.S, Russia, China, as well as other European and Asian powers. Our main findings show that while quantum computing and block chain technologies are developing rapidly and IoT and AI are picking up steam, governments are simultaneously improving their defensive and offensive capabilities and are trying to find new ways to deal with the emerging threats. Given the rapid pace of technological development, it remains to be seen whether these accelerated governmental efforts will succeed.

Smart Cities and Regional Development (SCRD) Journal

Oleksandr Tsaruk

The paper deals with phenomena arising from radical disruptions in numerous spheres of human activity that challenge the conventional understanding of security. Authors endeavour to contribute to understanding of these changes and the emerging paradigm. The notions of cyber security, information security in relation to the cyber-physical systems security, and information security in broader sense which describes safeguarding the information flows to cyberspace and media were considered. Authors explore modern manifestations of these threats, and then dive into the hybrid nature of the threats to cyber-and information security, describing cyber threats and cyber attacks as merged with existing 'conventional' techniques. The examination of hybrids threats-the cyber leverages to diplomacy, the practice of cyber retaliation, cyber sabotage and espionage, cyber weapons and the cyber arms race-was given.

Since the Korean War, stability in North and South Korean relations has been elusive. Over the past decade, hostilities have entered a digital phase as an increasingly tech-savvy North Korea has compromised public and commercial systems in South Korea with relative impunity. Perceiving North Korea as its greatest threat to cybersecurity, South Korea has focused virtually all of its cybersecurity efforts and resources towards defending against future cyber attacks from its northern neighbor. This paper examines the accuracy of South Korea’s threat assessment of North Korea and investigates the validity of South Korean cyber forensic techniques and intelligence. Furthermore, this research uses analyses of data from past cyber incursions in South Korea to determine the effectiveness of cybersecurity policies and attempts to determine if defensive and offensive strategies are appropriate, in both size and scope, for the danger that North Korea appears to represent. The author concludes that while South Korean assessments of North Korean cyber capabilities and involvement in cyber incursions are relatively accurate, there are ambiguities in the findings of cyber forensic analyses that may be incorrectly attributed to North Korea. As a result, current cyber strategies may be inadequate to defend against other possible state and non-state actors. In addition, this research finds that past cyber policies have weakened South Korean cybersecurity, and suggests that South Korea should shift towards broader more defensive strategies.

Levan Agniashvili

Proceedings of the Digital Privacy and Security Conference 2020

Hugo Barbosa , Carla Cordeiro

The Digital Privacy and Security Conference (DPSC) was first published in 2018 with the aim of disseminating the latest academic research on various subjects related to privacy and digital security. The objectives of our mission have been growing as well as the success of the editions of this conference. The conference proceedings aim to publish quality research for the benefit of the global academic community. We believe in the importance of education for society and the need to facilitate knowledge on a global scale. As the digital era matures, cyber security evolves and software vulnerabilities diminish, people however, as individuals, are more exposed today than ever before. In the context of digital privacy and security, attacker breach defences to access sensitive data and resources. The event will take place at the Lusofona University of Porto (ULP) the 15th January, 2020.

Book: Asian Defence Review 2018, Knowledge World Publishers, New Delhi

Dr. E. Dilipraj

Nikola Zlatanov

Computer security, also known as cybersecurity or IT security, is the protection of information systems from theft or damage to the hardware, the software, and to the information on them, as well as from disruption or misdirection of the services they provide.[1] It includes controlling physical access to the hardware, as well as protecting against harm that may come via network access, data and code injection,[2] and due to malpractice by operators, whether intentional, accidental, or due to them being tricked into deviating from secure procedures.[3] The field is of growing importance due to the increasing reliance on computer systems in most societies.[4] Computer systems now include a very wide variety of "smart" devices, including smartphones, televisions and tiny devices as part of the Internet of Things – and networks include not only the Internet and private data networks, but also Bluetooth, Wi-Fi and other wireless networks.

Self-Published

Michael Nycyk

Book three in the Cyber Library Reference Book series

RELATED PAPERS

Artur Victoria

Stanislav Secrieru

Brian Hillegas

Ryan C Maness

Journal of Cybersecurity Education, Research and Practice

Susan Ramlo, PhD , John B Nicholas

TECHNICAL EXPLOITATION IN THE GRAY ZONE: EMPOWERING NATO SOF FOR STRATEGIC EFFECT

chace falgout

Roger Bradbury , Paul N Cornish

Abdalla Yousif

International Journal of Management and Sustainability

Darrell Norman Burrell , Dr. Delores Springs

COMPARING AND CONTRASTING HOW THE UNITED STATES AND CHINA ADDRESS CYBERSECURITY

Kazem Agamy

Digital Humanitarian Network

Andrej Verity , Emma Amaral

Lumuli Gwakisa

PhD Thesis @uO Research

Baha Abu-Shaqra

erik frinking , Nicolas Castellon , Jacques Mukena

sanatan kulshrestha

Susan Davies

INTERNATIONAL JOURNAL OF INNOVATIVE RESEARCH IN ENGINEERING & MULTIDISCIPLINARY PHYSICAL SCIENCES

Colonel Balwan Nagial (Retired)

Julia Urbina-Pineda

RELATED TOPICS

•   We're Hiring!
•   Help Center
• Find new research papers in:
• Health Sciences
• Earth Sciences
• Cognitive Science
• Mathematics
• Computer Science
• Academia ©2024

• Security News
• Cyber Attacks

US OPM Hack Exposes Data of 4 Million Federal Employees

US Officials announced on Thursday that they are investigating a massive data breach involving the personal information of four million current and former federal employees.  Report indicate attackers compromised systems belong to the US Office of Personnel Management (OPM), the human resources department for the federal government that conducts background checks on employees and possibly other federal agencies.

According to reports , US law enforcement believes that a foreign entity might be responsible for the cyber intrusion against the OPM, but current FBI investigations have yet to determine facts.

Malicious activity that affected OPM’s information systems was reportedly seen in April and was detected by the Department of Homeland Security via its intrusion detection system, Einstein. The recent hack affected OPM’s IT systems, potentially compromising the personal information of federal employees. Since the attack, OPM announced that it has implemented additional security measures for its networks, offering credit reports access, credit monitoring, and identity theft insurance.

Last year, hackers broke into the OPM’s computer networks that housed personal information of federal employees. The attack reportedly appeared to have targeted the files of employees who have applied for top-secret security clearances, which listed their foreign contacts, previous jobs, and other sensitive personal information. Allegedly, no personal data appeared to have been stolen, and that the intrusion was apparently detected and blocked. Unfortunately, despite supposed previous security countermeasures, the recent hack against the OPM proved that organizations can always be susceptible to an attack, hence, assuming a compromise could be a better way to prevent and carefully plan for likely future attacks.

Possible Repercussions

Obtaining access to the confidential information is usually just the first step. It’s highly likely that the stolen information will be used in secondary infections targeting the victims or their associates. The attackers will also “scrub” the stolen data, sifting to find valuable figures to target, like high profile individuals or even key agencies.  The stolen information can allow the threat actors to create attacks specific to the targeted individuals.

Furthermore, going after the human resources arm of the US federal government allowed the attackers to gain information on several, if not all, government agencies. This specific attack shows that threat actors are concentrating on organizations that hold information on several potential targets—thereby eliminating the need to perform multiple, individual hacks to get all the data they want.

Targeted Attack at Play?

This incident reminds us about the importance of defending against targeted attacks, a threat that aims to exfiltrate data from target systems. Contrary to some notions, data exfiltration do not happen overnight, and because a targeted attack involves detailed reconnaissance work to gather information, these attacks usually take longer to plan and execute.

A targeted attack is composed of several components: intelligence-gathering, point of entry, command and control communication, lateral movement, asset/data recovery, and data exfiltration. However, most attacks aren’t a one-time thing. Threat actors often try to maintain access in the targeted network to perform further exfiltration. Hence, attacks are often cyclical in nature with overlapping stages. Because a targeted attack can routinely defeat and evade security measures, it could result in strategic chaos, massive costs, and crippled careers. Additionally, it can manage to stay undetected in a network or a system for a long time while successfully rendering its intended payload.

[ MORE: Game of Threats: Play as the Company CIO in this Targeted Attack Game ]

With targeted attacks on the rise, the question is no longer if organizations will fall victim to a targeted attack but when . In such an event, organizations need to prepare, and respond accordingly, and eventually learn from it. Educating employees on the importance of protecting data is crucial to enable a good security mindset. In addition, organizations are encouraged to reach out to partners, stakeholders, and customers to comprehensively communicate the scope of the attack, including important steps to take to reduce the damage.

[ READ: Four Steps to an Effective Targeted Attack Response ]

Like it? Add this infographic to your site: 1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.

Related Posts

• Exposing Earth Berberoka: A Multiplatform APT Campaign Targeting Online Gambling Sites
• The Far-Reaching Attacks of the Void Balaur Cybermercenary Group
• Zloader Campaigns at a Glance
• Earth Baku Returns: Uncovering the Upgraded Toolset Behind the APT Group’s New Cyberespionage Campaign
• Operation Earth Kitsune: Tracking SLUB’s Current Operations

Recent Posts

• You Can't See Me: Achieving Stealthy Persistence in Azure Machine Learning
• Mitigating the Threat of Sidecar Container Injection
• Open RAN: Attack of the xApps
• Rise in Active RaaS Groups Parallel Growing Victim Counts: Ransomware in 2H 2023
• Apache APISIX In-the-wild Exploitations: An API Gateway Security Study

We Recommend

• Internet of Things
• Virtualization & Cloud
• Security Technology

• Addressing CAPTCHA-Evading Phishing Threats With Behavior-Based AI Protection
• A Deep Dive into the Packet Reflection Vulnerability Allowing Attackers to Plague Private 5G Networks

• Enhancing Software Supply-Chain Security: Navigating SLSA Standards and the MITRE ATT&CK Framework
• Understanding the Kubernetes Security Triad: Image Scanning, Admission Controllers, and Runtime Security

• Calibrating Expansion: 2023 Annual Cybersecurity Report
• Ransomware Spotlight: LockBit

• Post-Quantum Cryptography: Quantum Computing Attacks on Classical Cryptography
• Diving Deep Into Quantum Computing: Computing With Quantum Mechanics