After it was revealed in June that two large-scale hacks at the Office of Personnel Management resulted in the theft of millions of employee personnel files and sensitive security-clearance information, members of Congress called a series of committee hearings to get to the bottom of the events that led to the hacks.
Those hearings landed OPM Director Katherine Archuleta in the hot seat, where she was grilled for her handling of the agency’s data security and IT practices in the lead-up to the breaches. In one heated exchange last week, Sen. John McCain struck out at Archuleta for withholding information about the breaches, and for not herself meeting with the FBI after the hack occurred. Just one day before, House Oversight Committee Chairman Jason Chaffetz accused Archuleta of lying outright about an OPM data breach early last year.
But lawmakers also spent a considerable amount of time at these hearings trying to clear up basic details about the hacks. Archuleta and her colleagues at the Homeland Security Department were repeatedly asked about the number, scale, and timelines of data breaches that affected OPM and two contractors that provided background-check services for the personnel agency.
The timelines below are based mainly on testimony from Archuleta and Andy Ozment, assistant secretary for cybersecurity and communications at DHS, supplemented by information from news reports.
USIS Security Breach
USIS was the largest contractor tasked with providing background-investigation services for OPM when its database was hacked. That hack, which likely came from China, resulted in the loss of more than 25,000 records belonging to DHS employees, and it led OPM to terminate its contracts with USIS. The contractor later went bankrupt.
First OPM Security Breach
Officials say that the first hack that targeted OPM itself didn’t result in the loss of employee records, but the attackers—likely China again—did make off with some documents about OPM servers.
Chaffetz called these documents “blueprints, essentially the keys to the kingdom,” but OPM and DHS officials pushed back on the “blueprint” characterization. Donna Seymour, the OPM’s chief information officer, said they were “outdated security documents about our systems and some manuals about our systems,” and Ann Barron-DiCamillo, a top DHS cybersecurity official, said they did not include “proprietary information or specific information around the architecture of the OPM environment.”
First KeyPoint Security Breach
After OPM’s contracts with USIS for background checks were terminated, they were shifted to KeyPoint, another large government contractor. But it wasn’t long before KeyPoint discovered that it, too, had been hacked. Nearly 50,000 DHS workers were notified that their personal information may have been exposed, but Barron-DiCamillo said her agency couldn’t confirm that any data was actually stolen.
After the breach, KeyPoint revamped its security systems, and OPM decided to continue its relationship with the contractor.
Second KeyPoint Security Breach
In June, it was revealed that another, separate data breach was discovered at KeyPoint at roughly the same time as the breach made public last year. Less is known about this hack, including when the breach began, but reports indicate that as many as 390,000 records may have been compromised.
Further, one of the two KeyPoint breaches appears to have led directly to the hack at OPM that began in October. Archuleta confirmed to lawmakers that the stolen security credentials of a KeyPoint employee were used to get into OPM’s servers in October, resulting in the theft of 4.2 million employee records.
Second OPM Security Breach
Government officials remain doggedly mum about the scope of this data breach, which involves sensitive security-clearance information on current and former federal employees. The breach began in May 2014, but a security update that rolled out in January curbed most of the hackers’ activity on the network, according to a DHS official—even though the breach would not be discovered for months.
Estimates of the size of this breach range widely. Reports place the potential damage as high as 18 million records, a number that Archuleta has repeatedly disputed without offering an official alternative. But Chaffetz, in last week’s contentious committee hearing, warned that the number could be even higher, pointing to the 32 million total records that OPM keeps as the upper bound of the possible extent of the data theft.
The personnel agency has not yet sent notifications to employees who may be affected by this breach, but it is expected to make an announcement about the scope of the hack as soon as this week.
Third OPM Security Breach
Although the White House has not officially attributed this breach to a foreign country or criminal group, it has all but acknowledged that Chinese hackers were behind the theft of 4.2 million employee personnel records. This data belongs to OPM, but it is held offsite on a server that belongs to the Interior Department. The hackers used a KeyPoint employee’s credential, gleaned from an earlier breach, to gain access to the data, which did not include any security clearance information.
CSID, a company that provides identity-theft protection services, has notified every affected federal employee. The company says that 500,000 people have signed up for an 18-month protection plan, offered free of charge by OPM, whichpaid about $20 million to cover affected individuals.