The OPM Breach: 21.5 Million Clearances

Every American who has ever applied for a federal security clearance fills out a form called the SF-86. It is not a short form.

The SF-86 asks for every address you have lived at for the past ten years. Every job you have held. Every foreign contact you have. Every trip you have taken abroad. Every financial debt. Every drug use, even experimental. Every mental health treatment. Every arrest, regardless of disposition. The names, addresses, and contact information of your family members, your friends, your references — all of whom are themselves contacted, interviewed, and asked about you.

The SF-86 is, by design, the most comprehensive personal dossier the United States government compiles on private citizens. It is also the document that grants access to state secrets. For investigators performing background checks, it is a roadmap. For a foreign intelligence service, it is something more valuable still: it is a complete profile of your vulnerabilities.

In June 2015, the Office of Personnel Management — the federal agency responsible for managing the government’s civilian workforce and conducting security clearance background investigations — announced that it had been breached. The initial disclosure admitted to a theft of approximately 4.2 million personnel records.

Weeks later, a second, far larger announcement arrived. A separate breach — or more accurately, a separate intrusion that investigators now believed had been running concurrently — had compromised something different and far more sensitive: the background investigation files for current and former federal employees.

The number of people whose SF-86 files had been accessed: 21.5 million.

The number of fingerprint records stolen alongside: 5.6 million.

The perpetrators: assessed with high confidence by US intelligence agencies as operatives of the Chinese Ministry of State Security.

Threat Actor Profile: Deep Panda / APT10

Designation: Deep Panda (CrowdStrike); APT10 (Mandiant/FireEye); Stone Panda (iSight/FireEye secondary); MenuPass (JPCERT); Cloud Hopper (PricewaterhouseCoopers for related campaign)
Attribution: China’s Ministry of State Security (MSS), believed to operate through contractors in Tianjin and elsewhere; US government attributed the OPM breach to China, with senior officials privately stating MSS involvement
Origin: People’s Republic of China
Primary Mission: Strategic intelligence collection for Chinese national security objectives; talent recruitment leveraging compromised personal information; mapping of the US intelligence community and federal workforce
Known Tradecraft: Spear phishing, PlugX RAT, Derusbi implant, living-off-the-land techniques, managed service provider compromise, credential theft, OPM-style large-scale exfiltration

Notorious Operations:

• OPM Background Investigation Breach (2014–2015): The largest theft of US government personnel data in history — 21.5 million SF-86 files and 5.6 million fingerprints.
• Anthem Health Insurance (2015): The breach of America’s second-largest health insurer, exposing 78.8 million personal records. Assessed by investigators to be related to the same broader campaign collecting personal information on federal employees and defense workers.
• United Airlines (2015): Attributed to the same actor in the same period — flight manifests and travel records complementing the personnel profile collection from OPM and Anthem.
• Operation Cloud Hopper (2014–2017): A massive campaign targeting managed IT service providers (MSPs) globally to reach their government and defense clients through trusted service relationships. Indictments of APT10 members by the DOJ in 2018 named Cloud Hopper explicitly.
• Marriott/Starwood (2014–2018): A four-year intrusion into the Starwood hotel reservation database, exfiltrating records on 500 million guests — including travel patterns, passport numbers, and contact details. Attributed to China by US, UK, and allied governments in 2018.

The Broader Campaign: Collecting a Nation’s Dossiers

The OPM breach did not happen in isolation. To understand it fully, you must understand the campaign context.

In 2014 and 2015, Chinese intelligence operations were executing what US investigators came to understand as a multi-pronged personal intelligence collection campaign — not collecting state secrets directly, but systematically assembling comprehensive files on the people who held them.

OPM yielded the SF-86 forms — the deepest personal dossier the government kept.

Anthem (78.8 million records) yielded health insurance data — medical histories, treatments, drug prescriptions, Social Security numbers, employer records.

United Airlines flight manifests yielded travel patterns — who was flying to what cities, when, and with whom.

Combined, these datasets created something unprecedented: the ability to identify every American with a federal security clearance, build a comprehensive personal profile including financial pressures, health vulnerabilities, family contacts, and travel patterns, then use that profile to:

1. Identify intelligence officers — CIA case officers under non-official cover could be identified by cross-referencing OPM records (which listed true-name employment) against travel records and health data
2. Recruit assets — the SF-86 forms contained precisely the information needed to identify and approach potential vulnerabilities in cleared personnel
3. Counter-intelligence — understanding the full scope of who the US government employed, in what roles, allowed China to protect its own operations against known investigators

US intelligence officials privately described the OPM breach as potentially allowing China to map every intelligence officer operating in China under diplomatic cover — a capability of extraordinary strategic value.

The Intrusion: Years Undetected

The timeline, reconstructed from congressional testimony, inspector general reports, and press investigations, is a chronicle of institutional failure.

2012–2013: US intelligence agencies issued warnings that OPM’s systems were being targeted by Chinese actors. Internal assessments noted that OPM maintained vast stores of highly sensitive personal data with inadequate security controls. The warnings did not produce rapid remediation.

Late 2013 / Early 2014: Attackers gained an initial foothold in OPM’s network. The precise initial access vector was not publicly confirmed, but investigators assessed spear phishing against a contractor as the likely entry point. The attacker installed a PlugX remote access Trojan — a tool widely associated with Chinese state-sponsored intrusion sets — and began reconnaissance.

Mid-2014: A second breach, apparently by a different Chinese actor (or the same actor under different operational parameters), gained access to OPM’s systems managing background investigation files — the SF-86 repository. This intrusion compromised KeyPoint Government Solutions, an OPM contractor responsible for conducting background investigations, gaining access from the supply chain rather than OPM directly.

2014–2015: Both intrusions operated undetected. The attackers accessed, copied, and exfiltrated personnel records over a period of months. The background investigation files — some of the most sensitive data OPM held — were exfiltrated in bulk.

March 2015: OPM’s security team detected suspicious activity on the network during a product demonstration. Further investigation revealed the personnel record breach (4.2 million records). The background investigation breach was discovered in subsequent analysis.

June 4, 2015: OPM publicly disclosed the first breach. Within weeks, the scale of the background investigation theft — 21.5 million — became clear.

The SF-86: A Manual for Recruitment and Manipulation

The significance of the SF-86 data cannot be overstated — understanding its contents makes the strategic value of the theft evident.

A completed SF-86 form for a senior intelligence officer might typically include:

• Ten years of residential history with dates
• Every employer, with supervisors’ names and contact information
• Names, addresses, phone numbers, and citizenship status of spouse, children, parents, siblings
• Names and contact information of ten character references, including childhood friends and former colleagues
• Every foreign national contact, with relationship details and frequency of contact
• Foreign travel history, purpose, and contacts made
• Financial records: debts, bankruptcies, judgments
• Mental health treatment history
• Drug and alcohol use (including use never resulting in arrest)
• Criminal history
• Any exposure to foreign intelligence services

For a Chinese intelligence analyst working in a counterintelligence or foreign recruitment capacity, this document is a toolkit. The financial debt question identifies potential leverage. The foreign contact section identifies existing relationships that might be exploited or monitored. The family member section provides targets for indirect recruitment. The mental health history identifies potential vulnerabilities that could be exploited in approaches.

Former CIA Director John Brennan called the OPM breach “devastating.” Former Director of National Intelligence James Clapper said it was “bad for business” — a careful statement from a man whose own SF-86 file was almost certainly among those stolen.

The Fingerprints: The Permanent Record

The 5.6 million stolen fingerprint records introduced a problem with no solution.

Passwords can be changed. Account numbers can be cancelled. But biometric data cannot be revoked — a stolen fingerprint is stolen permanently. Every future fingerprint authentication system using the affected individuals’ prints carries a potential compromise that cannot be mitigated by issuing new credentials.

The practical threat was near-term: intelligence agencies and governments that use fingerprint-based access control could no longer fully trust that a fingerprint match at a border crossing, a secure facility, or a government system was uncompromised. For the 5.6 million individuals whose prints were stolen, any fingerprint-based authentication for the remainder of their careers would carry a background uncertainty that had not existed before June 2015.

The OPM Inspector General’s report, issued in 2015, identified security failures that had been repeatedly flagged without action: outdated systems, inadequate network monitoring, missing multi-factor authentication requirements, and contractor access controls that were insufficient for the sensitivity of the data handled. Many of the vulnerabilities exploited had been identified in prior audit reports. The recommendations had not been implemented.

The Aftermath: A Workforce Notified in Silence

Affected individuals received notifications by mail. The government established a credit monitoring and identity theft protection program. The initial monitoring contract was subsequently cancelled after the vendor failed security checks — a dark irony in a breach defined by security failures.

OPM Director Katherine Archuleta resigned in July 2015. Congressional hearings followed. The Office of Management and Budget issued new cybersecurity requirements and accelerated several IT modernization initiatives.

In December 2018, the Department of Justice indicted two Chinese nationals — Zhu Hua and Zhang Shilong — members of an APT10-associated group, for a broader campaign of hacking against managed service providers and government contractors that included the Cloud Hopper operation. The indictment was widely understood as at least partially addressing the same actors and broader campaign context as OPM, though OPM was not named explicitly.

No one was held accountable in China for the OPM breach specifically. The data remains in Chinese hands. The 21.5 million dossiers — the professional biographies, the family trees, the confessions of debt and weakness and foreign contact — sit in a database somewhere, part of the most comprehensive intelligence archive ever assembled on the American national security workforce.

The names are still there. So are the vulnerabilities.

---

Attack Chain: OPM Breach — MSS / Deep Panda

graph TD
    A["🇨🇳 Ministry of State Security\n(Deep Panda / APT10)\nPRC Intelligence Collection Campaign"] --> B["Campaign Objective:\nMap US Intelligence Community\nRecruit / Exploit Cleared Personnel"]

    B --> C["Target Identification:\nOPM — Custodian of\nAll Federal Personnel + SF-86 Files"]

    C --> D["Initial Access\n~Late 2013 / Early 2014\nSpear Phishing → PlugX RAT"]
    D --> D1["Access: OPM Internal Network\nPersonnel Records Database"]

    C --> E["Supply Chain Attack\nKeyPoint Government Solutions\nOPM Background Check Contractor"]
    E --> F["Second Foothold:\nOPM Background Investigation\nDatabase Access via Contractor"]

    D1 --> G["Breach 1: OPM Personnel DB\n4.2 Million Records\nEmployment History / PII"]
    F --> H["Breach 2: Background Investigation Files\n21.5 Million SF-86 Forms\n5.6 Million Fingerprint Records"]

    G --> I["Exfiltration — Months\nUndetected Dwell Time\n2014 → March 2015"]
    H --> I

    I --> J["🔴 Stolen Data Package:\n• 21.5M SF-86 Clearance Files\n• 5.6M Fingerprint Records\n• Family Member Details\n• Foreign Contacts\n• Financial + Medical History"]

    J --> K["Chinese Intelligence Analysis\nCross-Reference with:\n• Anthem Health (78.8M records)\n• United Airlines Flight Manifests\n• Other Concurrent Breaches"]

    K --> L["Combined Profile:\nEvery Cleared US Govt Employee\nFull Personal Dossier"]

    L --> L1["Identify CIA / Intelligence Officers\nunder Diplomatic Cover in China"]
    L --> L2["Map Recruitment Targets:\nFinancial Pressures / Vulnerabilities"]
    L --> L3["Counter-Intelligence:\nKnow US Investigators' Identities"]
    L --> L4["Biometric Database:\nPermanent Fingerprint Records"]

    I --> M["March 2015:\nOPM Detects Suspicious Activity\nDuring Product Demo"]
    M --> N["June 4, 2015:\nOPM Discloses Breach\n'4.2M Personnel Records'"]
    N --> O["Weeks Later:\nBackground Investigation Breach\nConfirmed — 21.5M SF-86 Files"]

    O --> P["OPM Director Archuleta Resigns\nJuly 2015"]
    O --> Q["Congress: Systemic Failure\nPrior Audits Ignored\nSecurity Recommendations Unimplemented"]
    O --> R["$500M+ Credit Monitoring\nImpacted Individuals\nMonitoring Vendor Later Cancelled"]

    J --> S["DOJ Indicts:\nZhu Hua + Zhang Shilong\nAPT10 — December 2018\n(Broader MSS Campaign)"]
    S --> T["🇨🇳 No Actual Accountability\nData Remains in PRC Possession\nNo Extradition, No Recovery"]