The OPM hack, explained

On Thursday, the world caught another bombshell about the now-notorious OPM hack. It’s now unquestionably the largest known data breach in U.S. history, at least in terms of sheer number of people whose personal information was stolen. But if you’ve got questions, like who was affected, what an OPM is, and which foreign country can we get angry at over this, we’ve got answers.

What’s OPM?

OPM stands for the United States Office of Personnel Management. If the federal government was a company, OPM would be its human resources division.

What is the hack?

Back in April, a group of hackers gained access to at least two different OPM databases. The first is normal HR stuff—spreadsheets with data like names, addresses, birthdays, and Social Security numbers.

The second is, believe it or not, probably more sensitive. It’s called EPIC, and includes broader information about employees, like background checks. Ever go through a government background check? Some of them are extremely thorough, and gather information about, for instance, marital history. Family. Substance abuse.

Why am I hearing about it now?

Some government sources knew about it May, and President Obama announced it to the public June 4. But it wasn’t until Thursday that we got a more accurate count. 21.5 million Social Security numbers were stolen.

Am I a victim here?

Have you worked for the federal government, or are you close with someone whom the federal government has run a background check on? That’s a good indication of whether or not you’ve been affected.

Does this mean that all 21.5 million people who were in that database are now more vulnerable to identity theft?

Yes, unfortunately.

How ugly is it?

Well, for one example, hackers—maybe the same ones, maybe others—are already sending phishing emails to victims of the OPM hack. So some poor saps who have already been compromised are looking in their inboxes, seeing what is apparently the first step to getting help, but they’re actually being targeted further.

Ugh.

Yeah.

Who’s behind it?

We don’t know. A lot of people in D.C. assume the hackers are Chinese, and say it’s likely state-sponsored. But cyberattacks, especially sophisticated ones like this, are notoriously difficult to attribute, and pretty much impossible to attribute with certainty.

What are the victims doing?

Suing the government, for one thing. The country’s largest federal employee union has has filed a $1 billion suit against OPM.

Wait, what if it is a foreign government behind this, or a foreign government ends up with the information stolen in this breach? Just thinking out loud here but, what if, say, an FBI agent is clandestinely in that country, and his personnel files reflect that?

That’s what we’re saying! This is a big deal.

Will any politicians who don’t seem to have a strong grasp of cybersecurity use this to call for new laws that wouldn’t have actually in any way helped prevent this breach, but which civil liberties advocates warn would actually severely hamper normal Americans’ privacy?

Yes.

Was the OPM using an outdated dinosaur of a system that made a disaster like this much more likely?

Yes.

Is this, plus the Sony hack, plus all the other breaches I’ve heard about in the news in recent years, evidence that this is becoming the kind of world we live in, where huge systems that have our data, which is outside of our control, are susceptible to hackers?

Sorry to be the bearer of bad news, but yes.

Photo via Office of Personnel Management (PD) | Remix by Jason Reed

Kevin Collier

Kevin Collier

A former senior politics reporter for the Daily Dot, Kevin Collier focuses on privacy, cybersecurity, and issues of importance to the open internet. Since leaving the Daily Dot in March 2016, he has served as a reporter for Vocativ and a cybersecurity correspondent for BuzzFeed.