Compromised Credentials Gateway to Massive OPM Data Breach

By Roy Maurer Jun 26, 2015

Office of Personnel Management (OPM) Director Katherine Archuleta confirmed that compromised employee credentials stolen from a government contractor provided hackers access to the federal human resources agency’s servers.

The embattled director told the Senate Homeland Security and Governmental Affairs Committee June 25, 2015, that a 2014 breach of background check provider KeyPoint Government Solutions led to what’s likely to be the largest hacking of sensitive employee data ever.

The agency, which screens and hires federal workers, revealed on June 4, 2015, that it had discovered a cyberattack involving data for 4.2 million current and former federal employees. On June 12, OPM disclosed a second attack that targeted information for millions more Americans who applied for security clearances. Archuleta repeated to congressional committees all week that the agency doesn’t yet know how many people were affected by the second breach, in opposition to claims made by the FBI that up to 18 million people may have been affected.

Richard Spires, the chief executive officer of Resilient Network Systems, Inc., and former chief information officer for the Internal Revenue Service and the Department of Homeland Security (DHS) said other federal agencies are also at risk for data breaches because of a lack of IT management and security best practices, and a slow-moving procurement process that prevents speedy adoption of the latest technology.

“Beginning in the 1990s and up to the present, the federal government has not properly managed IT, having failed to effectively adapt with the changes in IT technology and the evolving cybersecurity threat,” he said.

“Federal agencies are a rich target and will continue to experience frequent attempted intrusions,” agreed Andy Ozment, assistant secretary for cybersecurity and communications at DHS. To make up for “20 years of underinvestment in public and private cybersecurity,” Ozment advised Congress pass cyber threat sharing legislation currently sitting in the Senate and codify the EINSTEIN intrusion detection system for use across federal civilian agencies.

“The OPM hack is an excellent example of our government on the one hand hoovering up massive amounts of data and on the other hand not having sufficient protection in place to guard that data,” said Stu Sjouwerman, founder and CEO of IT security company KnowBe4, based in Clearwater, Fla. “There is systemic failure on the side of the government, despite projects like EINSTEIN which are supposed to guard against intrusions.”

Clearing Up the OPM Data Breach Timeline

OPM discovered a cybersecurity intrusion in April 2015 during the implementation of a cybersecurity upgrade, according to DHS.

The agency reported the intrusion to the DHS National Cybersecurity and Communications Integration Center which began an incident response and search for other compromises across the federal government. The response team identified exfiltration of approximately 4.2 million federal personnel records stored at a Department of Interior data center which stored records for OPM. DHS believes that hackers were present in the data center from October 2014 to March 2015.

In May 2015, OPM identified additional malicious activity on its network. By June, DHS determined that several OPM applications related to background investigations had been exposed from June 2014 to January 2015. In this second announced breach, the hackers accessed databases that house sensitive data from security clearance records, Archuleta confirmed. The total number of records affected remains unknown while the investigation is ongoing. Those affected could include people who applied for government jobs, but never actually ended up working for the government, and those people given as references on applications and background checks.

Investigators believe that the recent breaches are connected to earlier incidents, including a November 2013 breach at OPM and an August 2014 breach at KeyPoint.

The earlier OPM breach yielded manuals which essentially mapped the infrastructure of OPM’s networks, critical to future hacks.

Data on 48,000 federal employees was exposed in the KeyPoint breach, but more significantly, provided the access credentials to infiltrate OPM’s networks, investigators believe. Government business was shifted to KeyPoint in 2015 after OPM decided not to renew its contract with background screener USIS after it suffered its own data breach in August 2014. OPM retains KeyPoint contracts and Archuleta defended the contractor, saying “While the adversary leveraged a compromised KeyPoint user credential to gain access to OPM’s network, we don’t have any evidence that would suggest KeyPoint as a company was responsible or directly involved in the intrusion.”

Next Steps

Archuleta told the committee that she will hire a new cybersecurity advisor by August 1, 2015, who will be tasked with managing OPM’s recovery and response to the recent hacks, developing a plan to prevent future breaches and determining whether the agency’s IT architecture needs an overhaul. She also plans to reach out to chief information security officers at leading private-sector companies to discuss further steps the agency can take to protect its systems and information. “As you know, the public and private sector both face these challenges, and we should face them together,” she said. “I would like to emphasize again that OPM has taken steps to ensure that greater restrictions are in place, even for privileged users. This includes removing remote access for privileged users and requiring two-factor authentication,” she said. She also mentioned that OPM is looking at tools that mask and redact data that would not be necessary for a privileged user to see.

IT security expert Sjouwerman outlined perennial best practices for employers to protect employee credentials, including:

  • Deploying wall-to-wall two-factor authentication.
  • Considering getting rid of passwords all together and use biometrics instead. Alternatively, employers may choose to use a single sign-on service so that employees only use one password.
  • Putting employees through effective security awareness training which includes password management.

Roy Maurer is an online editor/manager for SHRM.

Follow him @SHRMRoy

Quick Links:

SHRM OnlineSafety & Security page

Job Finder

Find an HR Job Near You
Post a Job


Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 10,000 companies

Search & Connect