Data Breach of United States Office of Personnel Management Ping Sun Oby Okereke Yingyan Wang Mengting Li Zhixin Wei

Background The United States Office of Personnel Management (OPM) is an independent agency of the United States government that manages the civil service of the federal government. Formed: January 1, 1979 Preceding agency: Civil Service Commission Jurisdiction: Federal Government of the United States Headquarters: 1900 E Street NW, Washington, D.C. Employees: 6,205 (2011) Agency Executive: Kathleen McGettigan

What happened? In June 2015, OPM announced that it had been the target of a data breach targeting the records of as many as 4 million people. Later, FBI Director James Comey put the number at 18 million. The data breach had started in March 2014 or earlier, and was noticed by the OPM in April 2015. It has been described by federal officials as among the largest breaches of government data in the history of the US. On July 9, 2015, the estimate of the number of stolen records had increased to 21.5 million. On August 27, 2017, the FBI arrested a Chinese national suspected of helping to create the malware used in the breach.

What happened? (continued) Records Stolen: Information targeted in the breach included personally identifiable information (PII) such as SSN, as well as names, dates and places of birth, and addresses. The hack went deeper than initially believed and likely involved theft of detailed security-clearance-related background information and fingerprint information. Change of personnel: Katherine Archuleta, the Director of the OPM, tendered her resignation on July 10, 2015

Impact to the business Data breach created a massive threat to U.S. national security that will last for decades Greatest damage from OPM breach was the damage to the U.S. government’s reputation The size, scope and sensitivity of the OPM data breach also have major financial implications. OPM could cost the government more than $1 billion in identity management solutions over the next decade.

Root cause of the issue Whether the attack is driven by commercial interests is unclear Lack of IT management best practices. The OPM had been warned multiple times of security vulnerabilities and failings Persistent deficiencies in OPM's information system security program

Gap Analysis of the OPM Data Breach In light of the OPM data breach, new laws “Cybersecurity Information Sharing Act of 2015 (CISA) and the Federal Cybersecurity Workplace Assessment Act of 2015” were introduced. The below listed gaps aided the need to create and have the law signed by the president on December 18, 2015; Lack of information sharing amongst US Federal Government Agencies Lack of clear policies addressing Incident Response Procedures for Data Breaches Lack of collective experience with regard to threat and mitigation efforts Lack of timely reporting which may have thwarted the second data breach as well allowed the relevant agencies and affected employees to take steps to protect their interests much sooner than nearly two years later

What controls were missing and your recommendation Aging systems as the primary obstacle to putting such protections in place for certain systems, despite having the encryption tools on hand. Incomplete security authorization packages, weaknesses in testing of information security controls, and inaccurate Plans of Action and Milestones Recommendation: Building a new architecture, a modern architecture that allows us to implement additional security features The only way to prevent malicious actors from obtaining useful data in this case would have been timely detection of the intrusion. Data loss prevention (DLP) has been proven to be one of the best tools to mitigate the possibility of a significant breach like we saw with OPM.

Cited Law Journal Library, OPM DATA BREACH CASE STUDY: MITIGATING PERSONNEL CYBERSECURITY RISK Alan Wehb. https://www.symantec.com/connect/blogs/opm-breach-costs-could-exceed- 1-billion https://www.fedscoop.com/opm-losses-a-40-year-problem-for-intelligence- community/

Question?