// overview
What happened
In April 2015, OPM technical staff investigating an SSL certificate anomaly discovered an active intrusion that had been exfiltrating data since at least May 2014. By the time the breach was contained, attackers had taken the personnel records of 4.2 million federal employees and — in a separate, deeper compromise — the SF-86 security-clearance background investigations of 21.5 million applicants.
The SF-86 is not an HR form. It is 127 pages of the most sensitive personal information the US government collects: every address you have lived at since age 18, every foreign citizen you have known, every drug you have used, every therapist you have seen, every debt you have carried, every sexual relationship that could be used to compromise you.
Among the affected were undercover intelligence officers, their family members, their personal references, and their foreign contacts. Some 5.6 million fingerprint records were also taken — biometrics that can never be reissued.
The Director of National Intelligence and FBI publicly attributed the breach to the Chinese state. In 2017 the US Department of Justice indicted Chinese contractor Yu Pingan in connection with related malware (Sakula). The OPM director resigned. CISA was created in 2018 partly in response to the lessons of the failure.
// timeline
How it unfolded
May 2014
Initial intrusion; attackers establish persistent access.
Dec 2014
Contractor KeyPoint credentials stolen — used to pivot deeper into OPM systems.
Apr 15, 2015
OPM detects malicious traffic during SSL investigation.
Jun 4, 2015
Personnel-records breach (4.2M records) disclosed publicly.
Jul 9, 2015
Background-investigation breach (21.5M records) disclosed; OPM Director Katherine Archuleta resigns the next day.
Aug 2017
DOJ arrests Chinese national Yu Pingan for related malware operations.
// damage
Impact and scale
Every person who applied for a US federal security clearance between 2000 and 2014 was in the dataset. SF-86 forms include 127 pages of intimate personal detail: addiction history, foreign contacts, mental health, debts, sexual partners. China now holds permanent leverage material on the entire US intelligence community and decades of officers' families and contacts.
// affected
Who was hit
- 21.5 million current, former, and prospective federal employees and contractors
- Family members and personal references listed on SF-86 forms
- 5.6 million individuals whose fingerprints were taken
- Every member of the US intelligence community cleared during the affected window
// lessons
Key takeaways
- Contractors are part of your attack surface — KeyPoint's compromised credentials were the entry point.
- Some data, once stolen, is permanent: fingerprints and SF-86 disclosures cannot be reissued like a password.
- Segmentation matters most for the data you cannot rotate; clearance archives should not share trust boundaries with HR systems.
- Counter-intelligence consequences of a data breach can outlast every official affected by decades.
