Lessons Learned from the OPM Data Breach – Two Years Later

Data Breach at US Office of Personnel Management

It’s been two years since the massive data breach at the US Office of Personnel Management (OPM) was revealed. Allegedly perpetrated by Chinese hackers, the breach resulted in the theft of highly sensitive personally identifying information from federal employees. Some estimates of the number of records stolen during the breach are as high as 21.5 million.

The ramifications of such an enormous data breach are likely still being felt. But, two years removed from the announcement of the attack, we can now take a look at the lessons we learned from the OPM data breach.

Nine Takeaways From the Largest Data Breach in US Government History

  1. The convenience of interconnected systems can lead to catastrophic outcomes.  The return of air gaps and segmentation of traffic are essentials to security.
  2. Unmonitored sensitive systems lead to unlimited losses.  Instrument sensitive systems and make people accountable for their security.
  3. Some systems and identities are more sensitive than others.  Proper classification, controlled access and the removal of persistent access when not needed is essential to security.  Implementation of privileged identity management systems and processes provide secure and controlled access to sensitive systems.
  4. Adding a minor amount of friction to authorized users to verify their identity and use cases provides tremendous resistance from intruder attacks.
  5. OPM’s problems were both technologic and organizational.  There was a request for more money to solve the problem. But the core of the issue of poor security was not about money, but about organizational behavior and self-preservation instincts that were misdirected.
  6. Contractors do not always have the best interests of the organization in mind.  Fiduciary and survival elements should always be managed by an employee of the organization.
  7. The leadership of an organization must be up-to-date on cyber warfare threats and how the organization must prepare and operate to minimize losses.  This does not mean leadership must know the deep dive details of specific threats, but they must understand how infiltration and exfiltration of data as well as destruction occurs in the cyber field.
  8. Leadership must take action when presented with audit findings to terminate ongoing risks via both organizational changes and the implementation of technology as quickly as possible.  Leadership should test the mitigations regularly to confirm the problems found have been resolved and, more importantly, recheck the controls to assure that there is no backsliding to old destructive behavior.
  9. OPM was the worst government breach in US history.  The appointment of the wrong person to the job of leading this critical agency was a poor decision.  Just as in other breaches, senior leadership is dismembered and reconstituted.  While a change in leadership is useful, it is only effective if the head of the organization (i.e. President) is ready to invest in making sure the breach does not occur again; not by just funding, but, by inserting their power into the rebuilding of the breached organization to fix organizational behavior and technology.

If you like this topic, please leave a comment below.

You can also follow us on Twitter.

And you can subscribe to our RSS feed to get future posts delivered directly to you.


Leave a comment

Your email address will not be published.


Time limit is exhausted. Please reload CAPTCHA.