The OPM Breach: Looking Back One Year Later

laptop computer on the table with notepad and coffee cup with Ntrepid logo in foam

Share this post

The OPM Breach: Looking Back One Year Later

As we approach the one-year anniversary of the disclosure of the Office of Personnel Management (OPM) Breach, it begs the question, “What can we learn from this horrific attack on our privacy?”

This breach is clearly the most significant, known government data breach to-date — affecting over 21.5 million Americans, many of which work on the most sensitive of U.S. national security programs. And despite all the security precautions put in place to safeguard our most sensitive data, it was still compromised. Given the sensitivity of the information taken, this is qualitatively different than other breaches in the detail, accuracy, and sensitivity of the information stolen. This information was attested to under oath and much of it may not appear in any other database. As a result, it enables follow up surveillance and targeting in a way that goes far beyond the typical data breach; possibly subjecting national security personnel to increased targeting by foreign adversaries now and into the future.


“While not officially quantified this breach could equate to the highest material loss of any breach to date because of the depth and breadth of the data involved.”


To truly understand the significance of the breach, we need to reflect on what has taken place over the last 12 months. By doing so we can see that responsiveness has been extremely slow. In any type of data breach, quick identification and remediation is paramount in order to minimize damage. In the case of this breach, it took almost four months from the time it was disclosed (June 4, 2015), until victims were notified (September 30, 2015) and told of plans to address the breach. That four-month window only started once the breach was identified, and there is no telling when the actual breach occurred. That is way too much time to have over 21.5 million people’s personal data compromised with no set action plan in place; especially when this breach could have been avoided (we’ll get to that a little later).

Let’s also not forget the other repercussions that have taken place over the past year. The sheer scale of the breach has led to resignations, Congressional hearings, overhauls of systems and the ways in which background investigations are conducted and stored. And while these are all good and necessary, the reality is this breach will most likely be overshadowed by other breaches as complacency sets in. If we are not careful, breaches of this magnitude will soon become the norm rather than the remarkable breach we view it as today.

So if our walk down memory lane has taught us anything it is that the course of action taken following the breach was far from adequate. Take for instance the offering of identity theft protection to breach victims. The continued absence of identity theft and fraud attacks based on the stolen OPM data makes the offered protection of identity theft services pointless. As time goes by and confidence grows towards the hypothesis that it was stolen by a national intelligence service, almost certainly the Chinese, the need for something that actually provides protection against real and likely threats like targeted cyber attacks, is warranted.


“This is bigger than simply having your credit card data stolen.”


The ramifications of what can be done with this information go far beyond simple identity theft. Now that this information is out there, attackers can quite literally sit and wait as they gather more and more intelligence before making any type of move; whether that is against current government employees or future generations of workers and/or their families. Possible scenarios include targeted spyware or even innovative digital sabotage campaigns aimed at discrediting or embarrassing key government users and officials.

While breaches will continue to plague all types of organizations from government to commercial, protection is available. Whether it is stopping malware from creating a breach in the first place, or shielding the identity of users once their data has been compromised (as in the case with the OPM Breach), the use of secure virtual browsers offer protection from targeted cyber social engineering attacks and allow users to navigate and browse the Internet without the fear of attack or compromise.

As many of us were also affected, we have been following the outcome of the breach very carefully. Despite all the heartache and strife caused by the OPM Breach, there are lessons we can take away to ensure the magnitude of such a breach never happens again. Part of that learning and healing process comes from dusting ourselves off and moving forward. As such, we would like to remind all those affected that we are offering our upcoming Consumer version of Passages to OPM Breach victims free of charge for one year; once it is released later this year. To learn more about Passages and how it can protect you, please visit: www.GetPassages.com/Breach.