The 2015 OPM Data Breach

Audio readout of this entry.

Background

The United States Office of Personnel Management (OPM) is the executive-branch agency responsible for the human-resources administration of the federal civil service, including the conduct of background investigations on applicants for federal employment and on personnel applications for security clearances at the Confidential, Secret, Top Secret, and Sensitive Compartmented Information levels. OPM conducted background investigations directly through its Federal Investigative Services (FIS) division and through contracted vendors, principally USIS Investigations Services and KeyPoint Government Solutions. The records produced by those investigations — Standard Form 86 (Questionnaire for National Security Positions) and the supporting investigative casework — were retained in OPM's centralised personnel and investigation databases.¹

The SF-86 form, completed by every applicant for a federal security clearance and updated periodically across the clearance-holder's career, requires the disclosure of substantial life-history detail: residential addresses across the prior ten years, employment history, financial history including significant debt and bankruptcy, foreign contacts including family members resident abroad, foreign travel, foreign business and academic relationships, mental-health treatment, alcohol and drug use, and arrest and police-contact history. The form runs to approximately 127 pages when completed in full and represents the most detailed single life-history disclosure required by any United States Government process.²

The Operation

The intrusions against OPM were carried out across two operationally distinct phases. The first phase — initiated in approximately late 2013, with confirmed presence in OPM networks from approximately November 2013 through April 2015 — was directed against the OPM personnel-records databases and resulted in the exfiltration of approximately 4.2 million records of current and former federal employees, including their social-security numbers, dates of birth, and pay and position information. The second phase — operating in OPM networks across May 2014 through April 2015 — was directed against the FIS background-investigation databases and resulted in the exfiltration of approximately 21.5 million SF-86 records (approximately 19.7 million applicants and 1.8 million spouses and co-habitants), and approximately 5.6 million sets of fingerprints retained as part of the investigation casework. The two intrusions together exfiltrated approximately 22.1 million unique records, with substantial overlap between the two record sets.³

The technical access pattern combined initial access through credentials issued to the contractor USIS — which had been the subject of an independent intrusion disclosed in August 2014 — with subsequent lateral movement through OPM's interconnected systems to reach the FIS background-investigation databases. The intruders deployed the PlugX remote-access tool and the Sakula remote-access tool, both of which are software families that have been associated by Western governmental and private-sector reporting with cyber-intrusion sets attributed to the People's Republic of China. The malware variant deployed in the OPM intrusion was tracked by US Government and private-sector reporting under various designations including "Deep Panda" and "Axiom."⁴

The intrusions were detected by OPM's Computer Incident Response Team in April 2015 in the course of a security-tooling upgrade that included new endpoint-detection capability. The FIS-database intrusion was identified separately in the course of the subsequent forensic investigation, conducted with the support of the United States Computer Emergency Readiness Team (US-CERT) and the FBI Cyber Division. OPM publicly disclosed the personnel-records breach on 4 June 2015 and the SF-86 breach on 9 July 2015. The OPM Director, Katherine Archuleta, resigned on 10 July 2015.⁵

Disclosure

The United States Government attributed the OPM intrusions to the People's Republic of China at successive stages and with successive levels of formality. The Director of National Intelligence, James R. Clapper, identified China as the leading suspect in public statements during June 2015. The Federal Bureau of Investigation, in court documents in United States v. Yu Pingan (US District Court for the Southern District of California, August 2017), charged the Chinese national Yu Pingan with conspiracy to commit computer hacking in connection with intrusions using the Sakula malware family also deployed against OPM; Yu Pingan pleaded guilty in August 2018 and was sentenced in February 2019. The intrusions have been attributed in subsequent public statements and reporting to Chinese state actors subsequently associated by analysts with the People's Republic of China's Ministry of State Security; Chinese Government officials have rejected the attribution.⁶

The United States House of Representatives Committee on Oversight and Government Reform, under Chairman Jason Chaffetz (R-Utah), conducted a sustained inquiry into the OPM intrusion across 2015–2016 and released its majority staff report, The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation, on 7 September 2016. The OPM Office of the Inspector General produced parallel reports on OPM's information-security practices across the period and on the agency's response to the breach. The combined Oversight Committee and OIG record constitutes the principal authoritative public-record account of the breach.⁷

The strategic-counter-intelligence consequences of the SF-86 exfiltration are the principal substantive feature of the post-disclosure analysis. The exfiltrated SF-86 records identify, by name and biographical detail, substantial fractions of the United States cleared personnel population — including persons whose intelligence-community or sensitive-government employment is implicit in the existence of their clearance. The detail supports targeted human-intelligence approaches against named individuals; it supports the identification of foreign relatives subject to coercion or recruitment in the named individual's home country; and it permits cross-referencing against other compromised data sets to identify previously concealed identities. Successive United States Government statements have characterised the strategic value of the exfiltrated data set as exceptional.⁸

Legacy

The 2015 OPM breach is the largest exfiltration of United States Government personnel-security data on record and remains the canonical reference for the strategic-counter-intelligence dimension of state-level cyber operations. The structure of the breach — a multi-phase intrusion combining contractor-credential compromise, lateral movement, and the exfiltration of intentionally retained life-history data — has been substantially replicated in subsequent breaches against United States and partner-state government databases.⁹

The post-breach institutional response included the establishment, by Executive Order 13708 of 24 September 2015, of the National Background Investigations Bureau (NBIB) within OPM, with operational responsibility for federal background investigations consolidated under the Director of National Intelligence. The NBIB was subsequently replaced by the Defense Counterintelligence and Security Agency (DCSA), established as the lead federal background-investigation agency under the Department of Defense in October 2019, with the transfer of background-investigation functions and personnel from NBIB completed across 2019–2020. The institutional reorganisation reflects the broader assessment that background-investigation data is a counter-intelligence function that should be administered with corresponding security disciplines.¹⁰

The strategic significance of the breach for the United States cleared-personnel population persists. The exfiltrated SF-86 record set is presumptively retained by the Chinese state and by any successor or affiliated entities; the named individuals identified in the records remain identified for the duration of their lifetimes and into the lifetimes of their relatives. Affected individuals were offered, beginning in 2015, identity-theft monitoring and credit-restoration services through US Government contracts; the services have been extended at successive intervals, and OPM and the relevant agencies continue to publish guidance to affected populations. The substantive counter-intelligence damage assessment is not publicly available in detail.¹¹

Related dossiers and agencies

This dossier is contemporary with — and operationally distinct from — the Snowden disclosures (2013) and the Manning–WikiLeaks Disclosures (2010), and is the federal-government-personnel-data analogue to the supply-chain compromise documented in SolarWinds (SUNBURST) (2020) and to the mass-exploitation campaign documented in HAFNIUM (Microsoft Exchange) (2021). The agency-level entries most directly engaged are the Central Intelligence Agency and the National Security Agency by reason of the cleared-personnel population affected, although the principal US Government victim was the Office of Personnel Management itself. The country-level context is on the pages for the United States and China.

Sources & Further Reading

1. United States Office of Personnel Management, agency mission statements and Federal Investigative Services records; Standard Form 86, "Questionnaire for National Security Positions" (December 2010 revision and successor revisions).
2. Standard Form 86 (SF-86); 5 CFR Part 731, suitability and credentialing regulations; OPM background-investigation procedural guidance, public-record editions.
3. United States House of Representatives Committee on Oversight and Government Reform, Majority Staff, The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation, 7 September 2016 (114th Congress).
4. CrowdStrike intelligence reporting on Deep Panda and Axiom, 2014–2015; Mandiant / FireEye reporting on PlugX and Sakula tooling; Department of Justice, United States v. Yu Pingan, indictment of August 2017, US District Court for the Southern District of California.
5. United States Office of Personnel Management public statements, June and July 2015; Office of the Inspector General reports on OPM information security; testimony of Director Katherine Archuleta before the House Oversight Committee, June 2015.
6. Director of National Intelligence James R. Clapper, public statements June 2015 (including GEOINT 2015 Symposium, 25 June 2015); Department of Justice, United States v. Yu Pingan, plea agreement and sentencing, 2018–2019.
7. House Oversight Committee staff report, The OPM Data Breach, 7 September 2016; OPM Office of Inspector General audit reports on information security, 2014–2017.
8. House Oversight Committee staff report, The OPM Data Breach, particularly the chapter on counterintelligence implications; David E. Sanger, The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age (Crown, 2018), ch. 8.
9. Sanger, The Perfect Weapon; Ben Buchanan, The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics (Harvard University Press, 2020).
10. Executive Order 13708 of 24 September 2015, "Establishment of the National Background Investigations Bureau"; Executive Order 13869 of 24 April 2019, transferring background-investigation functions to the Department of Defense; Defense Counterintelligence and Security Agency, transfer documentation, 2019–2020.
11. United States Government identity-monitoring contract notices, 2015 onward; OPM and DCSA public guidance to affected populations; Government Accountability Office reports on the post-breach institutional response, 2016–2019.