Data Loss Prevention (DLP) , Incident & Breach Response , Managed Detection & Response (MDR)

GOP Report: OPM Failed to Detect 2nd Hacker in Breach

As One Hacker Was Purged, Another Pilfered 20.5 Million Files, Congressional Report Says
GOP Report: OPM Failed to Detect 2nd Hacker in Breach
Reps. Jason Chaffetz (right) and Elijah Cummings (Photo:

As the U.S. Office of Personnel Management purged a hacker, another intruder who secretly infiltrated the system stole 20.5 million records containing personal information of government workers and contractors, many with top security clearances, according to a new GOP Congressional report.

See Also: Hunt Cloud Threats or Be Hunted | CISO Guide to Cloud Compromise Assessments

Republican members of the House Oversight and Government Reform Committee on Sept. 7 released the 241-page report about the 2014-2015 breach. It contends OPM leaders could have prevented the theft of personal information of tens of millions of individuals.

"The longstanding failure of OPM's leadership to implement basic cyber hygiene - such as maintaining current authorities to operate and employing strong multifactor authentication, despite years of warning from the inspector general - represents a failure of culture and leadership, not technology," states the report, written under the direction of Committee Chairman Jason Chaffetz, R-Utah.

Jason Chaffetz discuss the OPM report with the Associated Press.

OPM's acting director disputes many aspects of the report and says it fails to acknowledge the many data security steps that the office has taken since the incident. Meanwhile, Democrats on the Congressional panel claim the GOP report reaches conclusions that are contrary to facts found during the committee's investigation.

'Hacker X2' in Stealth Mode

The new report says that OPM was monitoring an intruder, labeled Hacker X1 when, on May 7, 2014, another hacker, Hacker X2, posed as an employee of OPM contractor KeyPoint, which conducted background investigations on prospective employees and contractors. Hacker X2, using the contractor's OPM credentials, logged into the OPM system, installed malware and created a backdoor to the network, according to the report.

Authorities believe Hackers X1 and X2 had ties to the Chinese government.

Intelligence agencies had asked OPM not to kick Hacker X1 off the network so they could monitor its movements and collect intelligence on the intruder, the report notes. But when the agency noticed Hacker 1 got dangerously close to the security clearance background information, OPM - working with the Department of Homeland Security - developed a remediation plan called "the Big Bang." The government purged Hacker 1 from the system in May 2014. Still, Hacker 2 wasn't detected and remained in the OPM system post-Big Bang, according to the report. Two months later, Hacker 2 began to exfiltrate security clearance background investigation files. In December 2014, the hacker stole personnel records; a month later, the cyber-assailant exfiltrated fingerprint data.

Basic Controls and Cutting-Edge Tools

"Had OPM implemented basic, required security controls and more expeditiously deployed cutting-edge security tools when they first learned hackers were targeting such sensitive data, they could have significantly delayed, potentially prevented or significantly mitigated the theft," the GOP report says.

The report identifies one of those controls as two-factor authentication, which, if implemented, might have prevented the breaches by both hackers.

One of the "cutting-edge" tools cited in the report is Cylance's Protect advance threat protection product, which OPM deployed after purging Hacker 1. The tool "lit up like a Christmas tree" when implemented, according to the report.

"Could they have done better? Absolutely," Cylance founder and CEO Stuart McClure said in an interview with the Associated Press. "But once they had been definitively convinced there was a breach, they took it very seriously."

OPM's Leader Responds

In a blog, OPM Acting Director Beth Cobert says she disagrees with many aspects of the report, but she did not address the specifics regarding the two hackers in her response. Cobert says the committee's report fails to fully reflect where the agency stands today in regards to IT security.

Cobert lists a number of steps OPM has taken since the breach to secure sensitive data. "The cybersecurity incidents at OPM provided a catalyst for accelerated change within our organization," she says. "Throughout this agency, management has embraced cybersecurity as a top priority."

Also critical of the Republican members' report were the committee's Democratic members, who issued a 21-page memorandum responding to the majority's account of the breach. The ranking member of the committee, Rep. Elijah Cummings, D-Md., says the Republican report reaches conclusions that are contrary to facts found during the committee's investigation. "The committee's year-long investigation into the data breaches showed that no one from the intelligence community or anywhere else detected the presence of the attackers and that these cyber spies were caught only with cutting-edge tools that OPM had deployed," Cummings says.

Role of Contractors

Cummings criticizes the Republicans for not adequately addressing contractors' role in federal cybersecurity, saying one of the most significant deficiencies uncovered during the committee's investigation was the finding that cyber requirements for government contractors are inadequate.

Through a spokesman, Federal CIO Tony Scott declined to comment on the Republican report, referring questions to OPM. In a speech last week at the National Institute of Standards and Technology, the CIO said the way the federal government funds IT projects served as a major contributor to the OPM breach because Congress, for the most part, fails to provide adequate money to modernize agencies' IT (see US CIO: Federal Funding Process Played Key Role in OPM Hack). Newer systems, he says, are less prone to cyberattacks.

"What you have is a recipe for high costs, cost overruns, projects that can't be completed or are difficult to start and the whole litany of things that we all know historically have been true," Scott said. "And, indeed, in OPM we found exactly that."

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.