- Sarah Anderson & Julian Mahfouz
$63M for OPM Data Breach Victims Pending Approval
The Office of Personal Management (“OPM”), one of the federal government’s largest human resource management entities, and their former cybersecurity provider, Peraton Risk Decision Inc., are about to agree to a sixty-three million dollar data breach settlement. Occurring almost a decade ago, the breach and following litigation began with a failure to implement a basic security precaution.
How did the hack take place? The simplest answer is that OPM lacked two factor authentication, despite knowing their servers were at risk. More of a siege than a blitz, the hack began in November of 2013 and continued through April of 2015. While the specific details of the initial breach are elusive, it is likely that a Chinese state hacker exploited a zero-day weakness to infiltrate KeyPoint’s (which since changed it name to Peraton Risk Decision Inc.) servers and gain login credentials to OPM servers. A zero-day weakness is a faulty software patch that hackers abuse on the first day it is identified, before the company can implement patches on their end.
Although zero-day weaknesses are hard to guard against, OPM’s lack of two factor authentication made finding login credentials the only barrier to unfettered server access. Yu Pingan, a Chinese national, was arrested in 2017 and accused of many of these zero-day infiltrations, including the OPM hack.
The OPM hackers (assumed to be a branch of Deep Panda, a state sponsored Chinese hacking group) initially only gained access to a benign part of the OPM server, which lacked personal or sensitive data. Although OPM learned of the breach shortly after its occurrence, the agency still failed to implement any kind of two factor authentication to prevent a more intensive intrusion. Mistakenly, OPM believed it could purge the hackers themselves.
Like open-air exposed dairy products, OPM’s decision to delay its response made the situation worse. Without OPM implementing preventative obstacles, the hackers installed Sakula, a strain of remote access malware. So, while OPM purged the hackers and patched the initial breach in May of 2014, the hackers gained entry to even more vulnerable portions of the server with their 6-month head start. The hackers eventually obtained sensitive data throughout 2015, pocketing over twenty-one million people’s information.
Once notified of the breach, the AFL-CIO and other federal unions filed suit on behalf of the class of victims. While the purported class initially struggled to establish standing without demonstrable injuries apart from the breach, negotiations between OPM and the class began in 2019. After more than two years of negotiation, the unions and OPM reached a settlement agreement, which is now pending approval before a D.C. Federal Court.
The terms of the settlement agreement require that OPM set aside a fund of sixty-million dollars, to which Peraton Risk Decision Inc. must contribute an additional three-million dollars. Separate from the sixty-three-million dollar fund, OPM will pay the costs of settlement notice and claims administration, and the victim’s attorneys’ fees as awarded by the Court. If approved, the next question is how the victims request and access the settlement fund?
The settlement agreement proposes a multistep process that will notify at least eighty percent of the class members. Approximately 3.2 million breach victims who accepted OPM’s offer of free identity protection and credit restoration services will receive direct notice of the settlement via email, based on contact information maintained by IDX (the vendor currently providing them with identity protection services). Emails also will be sent to class members using the email list of the two largest federal employee unions, American Federation of Government Employees and National Treasury Employees Union. As an additional notification measure, OPM will initiate a wide-ranging publication campaign employing targeted digital advertisements, banners on commonly visited websites, a press release, print and radio ads, and a dedicated settlement website.
Once notified, potentially eligible individuals (those whose personal information was compromised during the breaches) will be asked to show/affirm that they suffered out-of-pocket expenses or loss of compensable time in one of three ways: (1) that they purchased a credit monitoring product, credit or identity theft protection product, or other product or service designed to identify or remediate the data breaches at issue in this case, (2) that they accessed, froze or unfroze a credit report with a credit reporting agency, or (3) that, because of the hack, they suffered any identity theft incident or had to mitigate an identity theft incident. The awards to the OPM victims are expected to vary depending upon the extent of their injury. More to follow!