2.3 Human Resources (HR) Records
The largest HR or personnel records breach (break in with theft/manipulation of data) in history occurred in 2015 at the United States Office of Personnel Management or OPM for short. The breach involved the theft of 21.5 million US government employee records along with 5.6 million fingerprint records. Keep in mind that these records contain the contents of the SF86 a questionnaire completed when applying for a security clearance and include information not only about the applicant, but also about their extended families and neighbour’s. It is rumoured that the Chinese are using the information from these records to put together a “Facebook” of US government and military personnel that can be used to put pressure against them or co-opt them.
This breach was a classic case of risk versus reward. Enough golden eggs (records) existed in one place with the potential for enough damage that they were highly sought after and justified the expenditure of almost any effort to obtain them.
Access was obtained through a breach of a US Government contractor who had access, and, unfortunately, less security to go through. We the defensive team, the good guys failed to encrypt the records, disperse the records (so they’re not all in one place), and keep non-current records offline. To make matters worse, the intrusion was not detected for a long period of time.