When conducting a risk analysis, even before beginning the collection and analysis of threats, vulnerabilities and controls of the assets containing proprietary information, there’s work to be done. Work that sadly ISN’T done at many organizations, to their detriment.

An organization will typically take into consideration, among other things, the following:

  • Type (e.g. sensitivity to the data owners, criticality to the organization, value to an unauthorized user) of information created, received, transmitted or maintained by the organization
  • Amount of information (e.g. number of records, number of individuals)
  • Number of access points to the assets containing the information
  • Learnings from prior security incidents or breaches
  • Safeguards/Controls against phishing attacks, social engineering or other social media channels.
  • Security measures maintained by any service providers

So let’s see… what steps did the Of­fice of Per­son­nel Man­age­ment miss before shutting down the electronic collection and processing of security clearances and background checks?

  • The first known security breach at OPM was discovered in the spring of 2014. Although no employee records were lost, the hackers did obtain security system documents and manuals deemed by OPM’s CIO to be outdated.”
  • The second known security breach at OPM was discovered in the summer of 2014 and involved the largest contractor providing background checks and security clearance investigation services for OPM. Again, China was named the suspected state-sponsor.  More than 25,000 records belonging to DHS employees were stolen. OPM ultimately terminated its contracts with the service provider, U.S. Investigations Services, LLC (USIS).

USIS, by the way, is the same firm that had vetted Edward Snowden and Aaron Alexis (the gunman who killed 12 people at the Navy Yard in 2013)… And had been accused by the Justice Department of defrauding the government by submitting over 500,000 incomplete background check investigations. And also by the way, was almost awarded another $190 million contract in September 2014 to help manage the immigration system, from the department of Homeland Security under the regulatory requirement “to go to the lowest bidder.”

Following the termination of contracts with USIS, OPM awarded background check contracts to another government contractor, KeyPoint, which shortly thereafter discovered that it too had been hacked twice. The first involved the notification to almost 50,000 DHS employees that their personal information may have been “exposed”, no confirmation that it was stolen.  The second discovery, following the bolstering of KeyPoint’s security systems, may have involved the compromise of perhaps as many as 390,000 records. AND the stolen security credentials of a KeyPoint employee were the keys to the OPM servers discovery of the third OPM security breach in April 2015 that resulted in the theft of the records of 4.2 million employees. but I digress….

There’s not a lot of information related to the second OPM Security Breach. The level of damage could be anywhere between 18 and 32 million records of current and former employees and involved sensitive security-clearance information.

Finally (maybe) the third OPM breach, discovered in April 2015, involved the theft of 4.2 million records held offsite on a server (belonging to the Interior Department) which was access through that KeyPoint employee’s security credentials. This information included “tens of thousands” of Standard Forms 86, required for all service members and civilians seeking a security clearance and which requires disclosure of “information about family members, friends and past employment as well as details on alcohol and drug use, mental illness, credit ratings, bankruptcies, arrest records and court actions.”

So, in retrospect, if OPM had only taken the basic steps to conduct a risk analysis for the sensitive information it was entrusted with, perhaps…

For more updates on the latest information risk management news, subscribe to our monthly newsletter.

Mary Chaput

CFO & Chief Compliance Officer at Clearwater Compliance
Mary has 35 years of international and domestic business experience spanning the healthcare, information services, manufacturing and venture capital consulting industries.She is Clearwater’s CFO and Compliance Officer. As an experienced corporate CFO and risk manager, Mary works actively with customers and prospects to identify and prioritize their risks and to develop effective remediation plans within their budgets.