Tag Archives: OPM

The OPM Cyber Breach: the most dangerous data breach in U.S. history?

Original Post

Have you completed form “SF-86” or “Questionnaire for National Security Positions” to apply for a job with the U.S. Government since 2000? Are you related to, or lived with someone who has applied for a position requiring a U.S. government Secret or Top Secret security clearance?  If so, it is highly likely that you were impacted by the Office of Personnel Management (“OPM”) cyber-breach.

Millions of current, former, and prospective employees, and contractors of the U.S. government were affected, whether they realize it or not.  In addition, millions of their family members, spouses, contacts, and roommates who never even applied for a security clearance position with the U.S. government, had their personal information and records compromised as well.

All individuals who went through a background investigation by OPM in 2000 or afterwards (which occurs through the submission of forms SF 86, SF 85, or SF 85P) are highly likely to have been impacted by the OPM cyber breach (or breaches). The total number of people affected is estimated to top 20 million.

The personal details of individuals applying for jobs requiring a security clearance are some of the most valuable intelligence an enemy could obtain. Current CIA, FBI, and NSA (to name only a few agencies) employees, as well as many armed forces personnel, have been vetted through form SF-86 and the Office of Personnel Management.

The Office of Personnel Management’s repeated failures to uphold its duty to safeguard secret data, may have serious consequences on the national security of the United States for many years to come.

***********************************************************************

Related Press Accounts:

***********************************************************************

OPM is a federal agency headquartered in Washington, D.C.  It performs vital functions in the process of screening and hiring federal employees and contractors. Either directly, or through private contractors, OPM gathers and stores vast amounts of sensitive data about candidates and their families.

Because nearly everyone who applies for employment with the federal government receives some form of vetting through OPM, it “stores more Personally Identifiable Information” (“PII”) and other sensitive records than almost any other Federal agency.”[1]

Consequently, millions of persons, ranging from mail carriers, to submarine component technicians, spies, secret service agents, and certain United States Marines – have been screened by OPM.

The PII that OPM collects and has collected is stored on networked computer systems, which are by their nature, subject to unauthorized access, or a “data breach.”

In 2014, there were so many data breaches that it was dubbed the “year of the breach,” with four out of ten major U.S. companies holding credit card data suffering a network intrusion and data breach of some kind.[2]  The threats facing any digital custodian of sensitive data could not have been more obvious, with major retailers such as Target and The Home Depot in headlines suffering record breaking data breaches affecting tens of millions of Americans.[3]

PII about United States government employees and contractors, including names, addresses, social security numbers, and close relatives, would be of great intelligence value to a foreign government, or to “cyber criminals” aiming to commit financial crimes or identity theft. An obvious target, all OPM data should have been well secured against intrusion from any enemy.

Although charged with safeguarding some of the most important data possessed by the U.S. government, OPM failed to fulfill that duty.

After learning of data breaches affecting its networks, OPM issued two public disclosures.  The most recent disclosure, updated June 23, 2015 suggested the astonishing extent of the damage:

“Through the course of the ongoing investigation into the cyber intrusion that compromised personnel records of current and former Federal employees announced on June 4, OPM has recently discovered that additional systems were compromised. These systems included those that contain information related to the background investigations of current, former, and prospective Federal government employees, as well as other individuals for whom a Federal background investigation was conducted.[4] The full extent of the breach centers around the wholesale loss of Department of Defense Standard Form 86, or “SF-86” a “127 page document [that] asks government employees to disclose information about family members, friends and past employment as well as details on alcohol and drug use, mental illness, credit ratings, bankruptcies, arrest records and court actions.”[5]

According to the Navy Times:

“Some military officials believe the recent hack targeting the civilian-run OPM seized information from tens of thousands of Standard Form 86s, which are required for all service members and civilians seeking a security clearance. That includes service members of all ranks, officers and enlisted, in a wide range of job specialties and assignments.  ‘They got everyone’s SF-86,’ one Pentagon official familiar with the investigation told Military Times.”[6]

As a result of the OPM breaches over twenty million individuals were affected. OPM has publicly disclosed:

“OPM and the interagency incident response team have concluded with high confidence that sensitive information, including the Social Security Numbers (SSNs) of 21.5 million individuals, was stolen from the background investigation databases.  This includes 19.7 million individuals that applied for a background investigation, and 1.8 million non-applicants, primarily spouses or co-habitants of applicants. Some records also include findings from interviews conducted by background investigators and approximately 1.1 million include fingerprints. Usernames and passwords that background investigation applicants used to fill out their background investigation forms were also stolen.”[7]

OPM failed to live up to its duty to protect highly sensitive PII, even though it knew or should have known about profound vulnerabilities in its data security practices as early as 2007.

***********************************************************************

Footnotes

[1] Actions to Strengthen Cybersecurity and Protect Critical IT Systems, OPM, June 2015, last accessed on September 7, 2015 from https://www.opm.gov/news/latest-news/announcements/cybersecurity-report/.

[2] If 2014 Was The Year Of The Data Breach, Brace For More, Forbes, January 2, 2015.  Last accessed September 7, 2015, from http://www.forbes.com/sites/danielfisher/2015/01/02/if-2014-was-the-year-of-the-data-breach-brace-for-more/.

[3] Home Depot’s Record-Breaking Credit Card Breach Could Have Been Much Worse, The Motley Fool, September 20, 2014. Last accessed September 7, 2015 from http://www.fool.com/investing/general/2014/09/20/home-depots-record-breaking-credit-card-breach-cou.aspx.

[4] Information about OPM Cybersecurity Incidents – Latest News, OPM, last accessed on September 7, 2015 from https://www.opm.gov/news/latest-news/announcements/.

[5] Military clearance OPM data breach ‘absolute calamity.’ Navy Time, June 18, 2015, last accessed September 8, 2015 from http://www.navytimes.com/story/military/2015/06/17/sf-86-security-clearance-breach-troops-affected-opm/28866125/.

[6] Id.

[7] Information about OPM Cybersecurity Incidents – What Happened, OPM, last accessed on September 7, 2015 from https://www.opm.gov/cybersecurity#FAQs.

***********************************************************************

Related Filings: 

Related Cases:

MDL No. 2664

  • Michael Hanagan v. United States Office of Personnel Management et al (CAC/2:15-cv-06045)
  • National Treasury Employees Union, et al v. Archuleta (CAN/3:15-cv-03144)
  • McGarry v. U.S. Office of Personnel Management et al (CO/1:15-cv-01705)
  • American Federation Of Government Employees et al v. United States Office of Personnel Management et al (DC/1:15-cv-01015)
  • Krippendorf v. United States Of America, Office Of Personnel Management et al (DC/1:15-cv-01321)
  • Cox v. United States Office of Personnel Management et al (GAN/1:15-cv-02986)
  • Hobbs v. United States Office of Personnel Management et al (ID/2:15-cv-00302)
  • Woo v. United States Office of Personnel Management et al (KS/6:15-cv-01220)
  • Sims v. United States of America, Office of Personnel Management, et al (Mass/1:15-cv-13426-DJC)

***********************************************************************

Updates

10/2/2015 — Activity in Case MDL No. 2664 IN RE: U.S. Office of Personnel Management Data Security Breach Litigation Conditional Transfer Order Finalized

United States

United States Judicial Panel on Multidistrict Litigation

Notice of Electronic Filing

The following transaction was entered on 10/27/2015 at 8:07 AM EDT and filed on 10/27/2015

Case Name: IN RE: U.S. Office of Personnel Management Data Security Breach Litigation
Case Number: MDL No. 2664
Filer:
Document Number: 64

Docket Text:
CONDITIONAL TRANSFER ORDER FINALIZED (CTO-1) – 6 action(s) re: pldg. (16 in CAC/2:15-cv-06045, 20 in CO/1:15-cv-01705, 10 in GAN/1:15-cv-02986, 20 in ID/2:15-cv-00302, 1 in MA/1:15-cv-13426, [61] in MDL No. 2664, 5 in VAE/1:15-cv-01202) Inasmuch as no objection is pending at this time, the stay is lifted.

Signed by Clerk of the Panel Jeffery N. Luthi on 10/27/2015.

Associated Cases: MDL No. 2664, CAC/2:15-cv-06045, CO/1:15-cv-01705, GAN/1:15-cv-02986, ID/2:15-cv-00302, MA/1:15-cv-13426, VAE/1:15-cv-01202 (TB)

Case Name: Hobbs v. United States Office of Personnel Management et al
Case Number: ID/2:15-cv-00302
Filer:
Document Number: 22

Docket Text:
CONDITIONAL TRANSFER ORDER FINALIZED (CTO-1) – 6 action(s) re: pldg. (16 in CAC/2:15-cv-06045, 20 in CO/1:15-cv-01705, 10 in GAN/1:15-cv-02986, 20 in ID/2:15-cv-00302, 1 in MA/1:15-cv-13426, [61] in MDL No. 2664, 5 in VAE/1:15-cv-01202) Inasmuch as no objection is pending at this time, the stay is lifted.

Signed by Clerk of the Panel Jeffery N. Luthi on 10/27/2015.

Associated Cases: MDL No. 2664, CAC/2:15-cv-06045, CO/1:15-cv-01705, GAN/1:15-cv-02986, ID/2:15-cv-00302, MA/1:15-cv-13426, VAE/1:15-cv-01202 (TB)

Case Name: McGarry v. U.S. Office of Personnel Management et al
Case Number: CO/1:15-cv-01705
Filer:
Document Number: 22

Docket Text:
CONDITIONAL TRANSFER ORDER FINALIZED (CTO-1) – 6 action(s) re: pldg. (16 in CAC/2:15-cv-06045, 20 in CO/1:15-cv-01705, 10 in GAN/1:15-cv-02986, 20 in ID/2:15-cv-00302, 1 in MA/1:15-cv-13426, [61] in MDL No. 2664, 5 in VAE/1:15-cv-01202) Inasmuch as no objection is pending at this time, the stay is lifted.

Signed by Clerk of the Panel Jeffery N. Luthi on 10/27/2015.

Associated Cases: MDL No. 2664, CAC/2:15-cv-06045, CO/1:15-cv-01705, GAN/1:15-cv-02986, ID/2:15-cv-00302, MA/1:15-cv-13426, VAE/1:15-cv-01202 (TB)

Case Name: Cox v. United States Office of Personnel Management et al
Case Number: GAN/1:15-cv-02986
Filer:
Document Number: 12

Docket Text:
CONDITIONAL TRANSFER ORDER FINALIZED (CTO-1) – 6 action(s) re: pldg. (16 in CAC/2:15-cv-06045, 20 in CO/1:15-cv-01705, 10 in GAN/1:15-cv-02986, 20 in ID/2:15-cv-00302, 1 in MA/1:15-cv-13426, [61] in MDL No. 2664, 5 in VAE/1:15-cv-01202) Inasmuch as no objection is pending at this time, the stay is lifted.

Signed by Clerk of the Panel Jeffery N. Luthi on 10/27/2015.

Associated Cases: MDL No. 2664, CAC/2:15-cv-06045, CO/1:15-cv-01705, GAN/1:15-cv-02986, ID/2:15-cv-00302, MA/1:15-cv-13426, VAE/1:15-cv-01202 (TB)

Case Name: Oravis et al v. United States of America, Office of Personnel Management et al
Case Number: VAE/1:15-cv-01202
Filer:
Document Number: 7

Docket Text:
CONDITIONAL TRANSFER ORDER FINALIZED (CTO-1) – 6 action(s) re: pldg. (16 in CAC/2:15-cv-06045, 20 in CO/1:15-cv-01705, 10 in GAN/1:15-cv-02986, 20 in ID/2:15-cv-00302, 1 in MA/1:15-cv-13426, [61] in MDL No. 2664, 5 in VAE/1:15-cv-01202) Inasmuch as no objection is pending at this time, the stay is lifted.

Signed by Clerk of the Panel Jeffery N. Luthi on 10/27/2015.

Associated Cases: MDL No. 2664, CAC/2:15-cv-06045, CO/1:15-cv-01705, GAN/1:15-cv-02986, ID/2:15-cv-00302, MA/1:15-cv-13426, VAE/1:15-cv-01202 (TB)

Case Name: SIMS v. UNITED STATES OF AMERICA, OFFICE OF PERSONNEL MANAGEMENT et al
Case Number: MA/1:15-cv-13426
Filer:
Document Number: 3

Docket Text:
CONDITIONAL TRANSFER ORDER FINALIZED (CTO-1) – 6 action(s) re: pldg. (16 in CAC/2:15-cv-06045, 20 in CO/1:15-cv-01705, 10 in GAN/1:15-cv-02986, 20 in ID/2:15-cv-00302, 1 in MA/1:15-cv-13426, [61] in MDL No. 2664, 5 in VAE/1:15-cv-01202) Inasmuch as no objection is pending at this time, the stay is lifted.

Signed by Clerk of the Panel Jeffery N. Luthi on 10/27/2015.

Associated Cases: MDL No. 2664, CAC/2:15-cv-06045, CO/1:15-cv-01705, GAN/1:15-cv-02986, ID/2:15-cv-00302, MA/1:15-cv-13426, VAE/1:15-cv-01202 (TB)

Case Name: Michael Hanagan v. United States Office of Personnel Management et al
Case Number: CAC/2:15-cv-06045
Filer:
Document Number: 18

Docket Text:
CONDITIONAL TRANSFER ORDER FINALIZED (CTO-1) – 6 action(s) re: pldg. (16 in CAC/2:15-cv-06045, 20 in CO/1:15-cv-01705, 10 in GAN/1:15-cv-02986, 20 in ID/2:15-cv-00302, 1 in MA/1:15-cv-13426, [61] in MDL No. 2664, 5 in VAE/1:15-cv-01202) Inasmuch as no objection is pending at this time, the stay is lifted.

Signed by Clerk of the Panel Jeffery N. Luthi on 10/27/2015.

Associated Cases: MDL No. 2664, CAC/2:15-cv-06045, CO/1:15-cv-01705, GAN/1:15-cv-02986, ID/2:15-cv-00302, MA/1:15-cv-13426, VAE/1:15-cv-01202 (TB)

***********************************************************************

Advertisements

1 Comment

Filed under Uncategorized