Lessons Learned from the OPM Data Breach


On June 4th, 2015 the Office of Personnel Management (OPM) announced that their network which included millions of federal employee records was compromised. Facts about the breach reflect a common fact pattern; the breach resulted from alleged state-sponsored hacking, and personally identifiable information was compromised.  What made this breach different from others is the size and scope of the information stolen. This breach may have gone far beyond social security numbers and dates of birth, and may have been connected to an earlier breach in 2013.

OPM’s Chief Information Security Officer, Donna Seymour, recently testified at a House Oversight hearing that during the 2013 breach hackers took "some manuals about our systems."  While the 2013 breach was initially downplayed, there is current speculation that it could have provided a roadmap to penetrate OPM networks for the recent breach.  The breach likely involved personally identifiable information from security clearance records and background check information, including metal illness and drug and alcohol use records.

The number of records compromised remains uncertain as OPM’s estimate of 4.2 million records has come into question. James Coomey of the Federal Bureau of Investigation states the number could be 18 million based on OPM’s initial investigation report.

OPM’s data breach response has provided valuable lessons for other organizations that may find themselves in a similar situation:

  • After an intrusion is detected, regardless of whether or not data was compromised, appropriate steps need to be taken to remediate any vulnerability. This may involve significant yet necessary investment in IT infrastructure to prevent cyber attacks in the future.
  • The general public will be much less forgiving of a second intrusion, especially if they believe it could have been prevented from lessons learned in the first attack.
  • Any announcement regarding the exact number or types of records impacted must be correct the first time.

While no two breaches are exactly alike, there are generally accepted best practices that should be followed in order to mitigate both the financial and reputational harm that will occur.

Other government hacks clearly indicate the force and will of those seeking to carry out an attack on organizations. Cyber attacks and data protection is a growing threat for all organizations, private and public sectors and should be a topic discussed before an event occurs, not after the fact. Contact a HUB cyber expert who can bring experience and counsel to help you reduce the threat of a cyber attack to your business.

Contact a HUB Cyber Expert.