OPM Breach Exposed Security Clearance Files and Fingerprints of 22.1 Million People
Hackers tied by multiple reports to China penetrated the U.S. Office of Personnel Management and accessed some of the government’s most sensitive personnel systems, including databases linked to federal employee records and the e-QIP security-clearance platform. What was first described in 2014 as a detected intrusion later emerged as one of the most damaging breaches of U.S. government networks: authorities said the attackers compromised records on 22.1 million people, including current and former federal workers, contractors, applicants, and others connected to background investigations. The stolen data included Social Security numbers, health and financial details, background-investigation forms, and 5.6 million fingerprints, raising fears that the information could be used to build long-term intelligence dossiers on U.S. personnel.
The breach triggered resignations, congressional scrutiny, and years of criticism over OPM’s security failures. OPM Director Katherine Archuleta resigned after the scale of the compromise became clear, and CIO Donna Seymour later stepped down amid pressure from lawmakers and investigators. Reports said the intrusion was discovered during a security product demonstration, while watchdogs accused OPM officials of obstructing parts of the investigation and the Government Accountability Office later found that dozens of recommended fixes remained incomplete years after the attack, including weaknesses around passwords, shared administrative accounts, and contractor oversight.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
12 events from the most recent confirmed update back to the earliest known activity.
GAO finds many OPM security recommendations still unresolved
By November 2018, a Government Accountability Office review found little or no evidence that OPM had addressed 29 of 80 cybersecurity recommendations issued across reports covering February 2015 through August 2017. The findings indicated that serious weaknesses persisted years after the breach, including password and privileged-account management concerns.
Chinese national is arrested over malware tied to OPM hack
On August 24, 2017, U.S. authorities arrested a Chinese national accused of using malware linked to the OPM intrusion. The case represented a notable law-enforcement development connected to tooling associated with the breach.
House Oversight report blames OPM leadership for breach
On September 7, 2016, a House Oversight Committee report concluded that OPM leadership bore significant responsibility for the massive breach of federal personnel and security-clearance records. The report added a formal congressional finding to the fallout from the incident, emphasizing management and security failures.
OPM CIO Donna Seymour resigns before congressional testimony
On February 22, 2016, OPM Chief Information Officer Donna Seymour resigned shortly before appearing before a House panel examining the breach. Lawmakers had sharply criticized her over longstanding cybersecurity weaknesses at the agency.
Government says 5.6 million fingerprints were stolen in OPM hack
On September 23, 2015, the U.S. government disclosed that fingerprint data for 5.6 million people had also been compromised in the OPM breach. This expanded the known sensitivity and long-term counterintelligence implications of the stolen data.
OPM inspector general accuses agency officials of hindering probe
On August 7, 2015, OPM Inspector General Patrick McFarland said the agency's CIO office had hindered his investigation by fostering mistrust and providing incorrect or misleading information. The accusation deepened scrutiny of OPM's response and oversight failures after the breach.
OPM Director Katherine Archuleta resigns amid breach fallout
In July 2015, OPM Director Katherine Archuleta resigned after intense criticism over the agency's handling of the breach and revelations that the compromise was larger than initially reported. Her departure marked a major leadership consequence of the incident.
OPM says security-clearance hack affected about 21.5 million people
On July 9, 2015, federal authorities disclosed that the separate breach of OPM's security-clearance systems was far larger than first understood, affecting roughly 21.5 million people. The incident involved highly sensitive background-investigation data beyond standard personnel files.
OPM publicly discloses breach affecting federal personnel records
On June 4, 2015, OPM announced that hackers had compromised personnel records of current and former federal employees. Early public estimates put the number of affected individuals at about 4 million, and China was widely suspected though not officially named.
A second major OPM compromise is discovered during a product demo
In April 2015, investigators discovered another major OPM intrusion after a contractor demonstration of security tools revealed malicious activity on the agency's network. This discovery led to broader investigation of the compromise affecting personnel and clearance data.
News reports disclose the March 2014 OPM breach attempt
On July 10, 2014, reporting revealed that Chinese hackers had penetrated OPM systems months earlier and may have targeted records tied to security-clearance applicants. The disclosure highlighted the sensitivity of OPM's e-QIP data and broader U.S. concerns about Chinese cyber espionage.
OPM network intrusion is detected and blocked
In March 2014, U.S. officials detected and blocked a breach of the Office of Personnel Management network that reportedly gave Chinese hackers access to some federal employee-related databases. Officials said at the time that no confirmed loss of personally identifiable information had been identified, though the full scope was unclear.
Sources
14 references tracked. Mallory keeps watching after this page renders.
The OPM hack explained: Bad security practices meet China’s Captain America | CSO Online
csoonline.com
Open sourceOffice Of Personnel Management Still Vulnerable 3 Years After Massive Hack
forbes.com
Open sourceChinese national arrested for allegedly using malware linked to OPM hack - The Washington Post
washingtonpost.com
Open sourceMissed opportunities detailed ahead of personnel agency hack | AP News
apnews.com
Open sourceHacks of OPM databases compromised 22.1 million people, federal authorities say - The Washington Post
washingtonpost.com
Open sourceReport: Hack of government employee records discovered by product demo - Ars Technica
arstechnica.com
Open sourceExperts: China might be building database of federal worker info | CNN Politics
cnn.com
Open sourceChinese Hackers Pursue Key Data on U.S. Workers - The New York Times
nytimes.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Identity Protection for OPM Breach Victims Expires After 10-Year Federal Program
Identity theft protection services for victims of the 2015 Office of Personnel Management breach are beginning to expire 10 years after enrollment, closing a major federal remediation effort tied to one of the most damaging U.S. government cyber intrusions. The breach affected more than **22.1 million** people, including federal employees, security-clearance applicants, and family members, across two incidents involving personnel records and background-investigation data; the intrusions were widely assessed as linked to China. OPM first offered three years of coverage, then expanded benefits to 10 years under the **Consolidated Appropriations Act of 2017**, with contracts worth hundreds of millions of dollars awarded to **ID Experts**, now **IDX**. OPM said it considered extending the program but decided against it because of high costs and low recent claims, while the Government Accountability Office had argued the coverage was excessive and could distort the market. A **2022 class-action settlement** set aside **$63 million** for hardship claims, but only about **$4.8 million** was paid to just over **5,000** people before the remaining funds were returned to the U.S. Treasury. The expiration has drawn mixed reactions from affected individuals, with some warning that the stolen data could create lifelong risk, while others say a decade of support was sufficient; some recipients also reported follow-up marketing from IDX encouraging them to buy continued coverage on their own.
May 25, 2026
China-Linked Breach Hit FBI Surveillance Network and Exposed Sensitive Case Data
The FBI confirmed that **suspicious cyber activity** targeted one of its internal surveillance networks, and officials later classified the intrusion as a **"major incident"** under FISMA because of the potential national security impact. Reporting indicates the affected environment included systems tied to the FBI’s Virgin Islands operations, where attackers accessed highly sensitive law-enforcement information, including **pen register** and **trap-and-trace** returns as well as personally identifiable information connected to active investigations. The bureau said it detected unusual activity in February, informed lawmakers in early March, and publicly acknowledged that the activity had been contained while the investigation continued. Multiple reports said investigators linked the operation to **China**, and that the attackers appear to have reached FBI systems through a commercial internet service provider’s vendor infrastructure rather than by directly breaching the bureau first. The incident prompted a broader U.S. government response, with the White House convening officials from the FBI, NSA, and CISA and the Justice Department establishing a working group to strengthen resilience and incident response. The breach was reported as separate from another cyber matter involving the FBI director’s personal email, underscoring that the bureau was confronting several cyber threats at the same time.
May 25, 2026
DomeWatch Database Exposure of Capitol Hill Job Applicants' Sensitive Data
An unsecured online database managed by the House Democrats’ DomeWatch platform exposed the personal information of over 7,000 individuals who applied for jobs, internships, or fellowships with Democratic offices and committees in the US House of Representatives. The exposed data included names, contact details, political affiliations, military service, and, critically, the security clearance status of hundreds of applicants, with at least 469 individuals holding "top secret" federal security clearances. The breach was discovered by an ethical security researcher in late September 2025, who promptly notified the House of Representatives’ Office of the Chief Administrator, leading to the database being secured within hours. The database, which was neither encrypted nor password-protected, also contained links to Google forms and other shared documents, as well as a file labeled as a "master key" that could potentially be used to decrypt protected data such as API tokens. The records, mostly timestamped from 2024–2025, raised concerns about the retention policy of the DomeWatch platform, which claims to archive resumes after 90 days. The exposure of such sensitive information, especially regarding individuals with high-level security clearances, significantly increases the risk of fraud, targeted attacks, and broader national security implications.
Mar 21, 2026