OPM Data Breach Victims Awarded New $63 Million Settlement

OPM Data Breach Victims Awarded New $63 Million Settlement
October 17, 2022 | 4 minutes read

Several years ago in 2015, the Office of Personnel Management (OPM), one of the many agencies that make up the U.S. federal government, experienced a data breach that impacted not only federal employees but also job applicants, in what has been described as one of the largest breaches that a U.S. government agency has ever faced. To this end, the victims of this landmark data breach were finally afforded some level of resolution this past week, as a federal judge agreed to finalize a $63 million settlement in response to the numerous damages that the victims of the data breach sustained as a result of the events that took place.

Subsequently, “Court documents show nearly 20,000 individuals have already signed onto the class-action lawsuit” but other individuals that may have been affected by the breach will be permitted to submit a claim up until December 23, 2022. On top of this, the American Federation of Government Employees (AFGE) has also notified “about a million potential victims informing them about the class-action lawsuit. Additionally, plaintiffs have created targeted ads for current and former federal employees on social media, as well as print and radio ads to make them aware of the class-action lawsuit.”

OPM data breach

In terms of the circumstances that led to the data breach that the Office of Personnel Management dealt with in 2015, the government agency was in fact hit with data breaches on 2 separate occasions during the year. This being said, the OPM discovered that the personal information of more than 4.2 government employees had been stolen in early 2015, including information concerning the family members of these employees. Likewise, the information that was stolen included home addresses, full names, and social security numbers, as well as dates of birth, among other things.

What’s more, the OPM suffered a second data breach several months later in June 2015, as the background investigation records of current, former, and prospective employees were stolen yet again. Likewise, the information that was stolen during this second breach included social security numbers once more, as well as biometric information including the fingerprints of government employees. Due in large part to the sensitive nature of the information that was disclosed during the course of these two respective data breaches, as well as the sheer number of people that were impacted, these incidents were some of the most significant cybersecurity events that a U.S. government agency has ever had to contend with.

OPM’s poor security practices

While no individual or group of individuals has been conclusively identified as having launched the data breach against the U.S. Office of Personnel Management, the general consensus regarding the attack is that “that OPM was hacked by state-sponsored attackers working for the Chinese government. Among the evidence is the fact that PlugX, the backdoor tool installed on OPM’s network, is associated with Chinese-language hacking groups that have attacked political activists in Hong Kong and Tibet; the use of superhero names is also associated with groups tied to China.”

Moreover, the OPM’s allegedly weak cybersecurity practices also played a huge role in the two data breaches that took place in 2015. To illustrate this point further, a large number of the government employees that were impacted by the data breach did not have two-factor authentication set up on their accounts, making it incredibly easy for them to have their personal information stolen. Furthermore, in spite of the fact that the OPM had implemented a security information and event management (SIEM) tool in an attempt to protect the personal data of its employees, this tool was reportedly poorly configured, meaning that it failed to cover the information of up to 20% of the government agency’s information security systems.

While data breaches were still a daily occurrence back in 2015, much as they are still are today, the scope and severity of the two data breaches that the OPM experienced have had long-lasting impacts on many of the government employees that were working for the agency at the time, in addition to other employees that worked for the agency previously. For this reason, the data breach settlement that was reached this past week was a positive development for all parties involved, irrespective of the fact that it has taken 7 years for a ruling to be made. Consequently, regardless of any other mitigating factors, protecting the personal information of the nation’s government employees must be a top priority at all times.