OPM Breach Discovered During a Product Demo (and Undetected for Over a Year)

Last Updated on June 13, 2015

In information security, a product demo is quite important inside the sales process. Normally conceived as a necessary step to show the product features and integration capabilities in a real world condition (hopefully with some well established success criteria), it often turns out to be a sort of red pill capable to show “how deep the rabbit hole goes”, in other terms, how many threats (more or less serious) have gone undetected until that moment.

This kind of medicine is never particularly sweet to swallow, but in case of the Office of Personnel Management, that red pill had a tremendously bitter taste.

Few days ago, the OPM has revealed to have been breached in April 2015, and as a consequence it has notified 4 million current and former federal employees that their personal data might have been compromised following the attack. The official statement did not provide too many details, indicating that the breach was discovered thanks to:

the aggressive effort [undertaken by the OPM] to update its cybersecurity posture, adding numerous tools and capabilities to its networks

Unfortunately, it looks like this description was not completely accurate (or at least did not tell everything), as new revelations suggest that the breach was undetected for over a year and, curiously, discovered during the product demo of a network forensic tool.

This allowed to discover that everything started with an initial intrusion into OPM’s systems, which was subsequently used by the intruders to hop through four different segments of OPM’s systems.

Also the impact of the attack seems considerably larger than what was initially estimated. Apparently the Central Personnel Data file was the targeted database, and now the attackers could be in possession of all personnel data for every federal employee, every federal retiree, and up to one million former federal employee.

At least the good news is that the product demo was successful, although I am not totally convinced that what was found, was part of the success criteria.