Sqrrl Blog

Jul 14, 2015 9:45:00 AM

Cyber Incident Matrix: OPM Breach

Severity Score: 6
Complexity Score: 6
How did we get these numbers?

Incident Summary

  • What was breached: The United States Office of Personnel Management (OPM). System specific breaches were not disclosed.

  • Delivery: March 2014 (possibly earlier) - April 2015

  • The Attackers:  Chinese state sponsered hackers (alleged)

Overview:

In April of this year, the US Office of Personnel Management (OPM) became aware of an intrusion in a personnel file database while working to upgrade its security infrastructure. As investigations continued, the OPM discovered that a second breach had occurred in which a variety of sensitive data on both former and current federal employees had been compromised and exfiltrated using credentials associated with an investigative contractor, KeyPoint Government solutions. Before being detected, the invaders had made off with personal information such as sexual history, drug use, friends, roommates, and more. The second breach was far more significant, raising the number of affected individuals to over 21 million.

Copy_of_Sqrrl_Cyber_Incident_Matrix

Complexity Score:

Plan Time

Indirect Attack

Cyber/Human Coordinated

Zero-Days Used

Time  Undetected

  Advanced TTPs

Total

2

1

0

0

2

1

6

The OPM was hacked twice. First, personnel information on about 4.2 million employees was exfiltrated. As investigations continued, it became clear that a much larger breach had occurred after stolen credentials associated with a background check contractor , KeyPoint, were found to have been used to access 21.5 million records in the OPM background check database. The targeted but indirect nature of the attack indicates that long-term planning occurred to isolate the appropriate third-party target. Because KeyPoint was used by the OPM to perform background checks, their employees necessitated sysadmin access to the background check database. This made them ideal targets for an attack with the intention of data exfiltration.

Severity Score:

Incident Costs

Physical Damage

Lives Lost

Nat. Sec. Impact

Total

4

0

0

2

6

The variety and volume of data exfiltrated from the OPM, 21.5 million records, leaves open the possibility for foreign actors to do an extraordinary amount of damage. Based on the 2015 Ponemon data breach report, the raw cost of the breach could climb as high as 3.1 billion, based on an average of $145 per record stolen. This cost is layered on top of the fact that this data in particular could be used to target American agents abroad, as well as recruit or blackmail federal employees, opening up an entirely new field of vulnerabilities. Needless to say, this has potentially far reaching implications for national security, as some analysts have already speculated.

Cybersecurity Analytics

Topics: Cybersecurity, OPM, Data Breach