Anatomy of a Breach

Anatomy of a Breach: US Office of Personnel Management — 21.5 Million Security Clearances Stolen by China

> series: anatomy_of_a_breach —— part: 077 —— target: us_opm —— records: 21,500,000 —— data: security_clearance_files<span class="cursor-blink">_</span>_

Hedgehog Security 31 May 2015 14 min read
data-breach opm security-clearances china apt fingerprints us-government espionage series
Breach #077

21.5 million security clearances. Fingerprints. Personal secrets. Everything a spy agency needs.

In June 2015, the US Office of Personnel Management (OPM) disclosed two related breaches that together compromised the records of approximately 21.5 million individuals. The first breach affected personnel records of 4.2 million current and former federal employees. The second — and far more damaging — compromised 21.5 million background investigation records, including the detailed SF-86 security clearance forms that every federal employee and contractor with a security clearance must complete.

The SF-86 forms contain the most sensitive personal information imaginable: detailed financial histories, records of foreign travel and contacts, mental health treatment, drug and alcohol use, relationship histories, and names and details of close associates and references. The breach also included 5.6 million fingerprint records. For a foreign intelligence service, this data represents a comprehensive dossier on every person with access to US classified information — enabling identification of intelligence officers, recruitment of vulnerable individuals through blackmail, and assessment of which officials might be susceptible to approaches. Former NSA Director Michael Hayden described it as the most damaging theft of intelligence data in US history.

The Intelligence Goldmine
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

SF-86 forms: everything you would never tell anyone.

The SF-86 Standard Form for security clearance investigation is the most comprehensive personal disclosure document most people will ever complete. It runs to 127 pages and asks about every aspect of a person's life: every address for the past 10 years, every employer, every foreign contact, every financial account, all debts and delinquencies, any mental health treatment, any drug or alcohol use, any criminal history, and the names and contact details of people who can verify all of it.

Intelligence Recruitment Database
The SF-86 data enables a foreign intelligence service to identify federal employees with financial problems (who might be susceptible to bribery), personal secrets (who might be susceptible to blackmail), or foreign connections (who might already have sympathies). For UK organisations in the <a href="/blog/sector-under-the-microscope-defence-supply-chain">defence supply chain</a>, the OPM breach demonstrated the intelligence value of personnel data — and why vetting data requires the highest protection.
5.6 Million Fingerprints
Unlike passwords, fingerprints cannot be changed. The theft of 5.6 million fingerprint records represents a permanent compromise — those biometric identifiers are compromised forever. For organisations deploying biometric authentication, the OPM breach is a reminder that biometric data must be protected even more rigorously than passwords, because it cannot be reset.
Government IT Failures
The OPM breach exploited systemic IT security failures in the federal government — legacy systems, absent encryption, no multi-factor authentication, and inadequate monitoring. The parallels with the UK government data loss epidemic documented throughout this series are direct: government agencies hold the most sensitive data and consistently demonstrate the weakest security. <a href="/cyber-essentials">Cyber Essentials</a> provides the baseline that government agencies need.
Detection Was External
OPM detected the breach only after deploying new intrusion detection tools — the existing monitoring had failed to identify the compromise. <a href="https://www.socinabox.co.uk">SOC in a Box</a> provides the continuous behavioural monitoring that detects APT intrusions — the capability that OPM lacked until it was too late.
UK Defence Supply Chain

If the US cannot protect its clearance data, can the UK?

The OPM breach has direct implications for the UK defence supply chain. UK organisations holding personnel vetting data, security clearance information, or employee records that could be of intelligence value face the same threat from the same adversaries. Cyber Essentials Plus — mandatory for MoD contracts — addresses baseline controls. Our penetration testing validates these controls against APT-level threats. SOC in a Box for Defence and Engineering provides 24/7 monitoring. And UK Cyber Defence's threat intelligence provides awareness of APT campaigns targeting the defence sector.

Personnel Data Protection

21.5 million security clearances stolen. Does your organisation hold personnel data that a foreign intelligence service would value?

Our <a href="/penetration-testing/infrastructure">penetration testing</a> assesses the security of personnel data stores. <a href="/cyber-essentials">Cyber Essentials Plus</a> provides the baseline for defence supply chain organisations. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors for APT-level threats.

Commission a Security Assessment Next: LastPass
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 28 February 2012

Anatomy of a Breach: Nortel Networks — A Decade of Chinese Espionage Hidden in Plain Sight

Breach #038. In February 2012, it was revealed that Chinese state-sponsored hackers had maintained persistent access to Nortel Networks — the Canadian telecommunications giant — for nearly a decade, from at least 2000 until the company's bankruptcy in 2009. The attackers used stolen executive passwords to access strategic planning documents, research and development data, and business plans. The breach was known internally but never adequately addressed. When Nortel's assets were sold during bankruptcy — including patents acquired by Apple, Microsoft, and others — the question was whether the buyers had also acquired compromised infrastructure.

data-breach nortel
13 min read
Anatomy of a Breach 28 February 2015

Anatomy of a Breach: Anthem — 78.8 Million Health Records and the Largest Healthcare Breach in History

Breach #074. In February 2015, Anthem Inc. — the second-largest health insurer in the United States — disclosed that attackers had stolen the personal information of 78.8 million current and former members and employees. The stolen data included names, dates of birth, Social Security numbers, medical ID numbers, addresses, email addresses, and employment information. The breach was attributed to a Chinese state-sponsored group (Deep Panda/APT19) and was the largest healthcare data breach in history. Anthem ultimately paid $115 million in the largest data breach class action settlement at the time.

data-breach anthem
13 min read
Anatomy of a Breach 31 January 2013

Anatomy of a Breach: The New York Times — Four Months of Chinese Espionage Targeting Journalists

Breach #049. In January 2013, the New York Times disclosed that Chinese hackers had maintained access to its network for approximately four months, targeting the email accounts and passwords of reporters covering Chinese politics — specifically those investigating the wealth of the family of China's then-premier Wen Jiabao. The attackers used techniques consistent with the Chinese military's Unit 61398 (APT1). The breach demonstrated that nation-state espionage extends beyond defence and technology — any organisation whose work intersects with a foreign government's interests is a potential target.

data-breach new-york-times
13 min read
All Posts Get in Touch