U.S. Office of Personnel Management breach

In mid-2014, Chinese state operators — most-cited public attribution is to the Ministry of State Security (MSS) — established persistent access to the U.S. Office of Personnel Management (OPM), the federal HR agency that processes background investigations for every U.S. government employee and contractor seeking a security clearance. Over the next year, they exfiltrated:

• Personnel records on 4.2 million current and former federal employees (June 2015 disclosure)
• Background investigation files (SF-86 forms) on 21.5 million individuals including the employees themselves, their spouses, family members, and references (July 2015 expansion)
• Fingerprints on 5.6 million individuals

It is widely assessed as the most-damaging intelligence-loss cyber incident in U.S. government history, surpassing even the Snowden disclosures in long-term impact on U.S. human-intelligence operations.

What was stolen

The SF-86 ("Questionnaire for National Security Positions") is a 127-page form completed by every U.S. federal employee or contractor applying for a security clearance. It asks for every place the applicant has lived, every job, every foreign contact, every foreign travel, every drug use, every mental health treatment, every financial difficulty, every relative — going back decades.

The form exists to identify potential foreign-influence vulnerabilities. In the hands of a foreign intelligence service, it is exactly the inverse: a catalogue of every individual leverage point for the people the U.S. government has trusted with classified information.

The exfiltrated dataset included background-investigation files on:

• CIA officers (though CIA officers' SF-86s are processed internally, not at OPM; the dataset still exposed many CIA contractors).
• State Department officials, including consular officers.
• Department of Defense civilians and contractors.
• NSA personnel.
• Federal law enforcement (FBI, DEA, etc.).
• Critical-infrastructure contractors with cleared access.

The CIA reportedly recalled multiple officers from China-based stations in the years following the breach, on the assessment that their cover or backgrounds had been compromised. The full intelligence cost is, by nature, never publicly disclosed.

How it happened

The intrusion was technically unsophisticated. The attackers:

• Phished credentials from a KeyPoint Government Solutions contractor with privileged OPM access.
• Used those credentials to access OPM's network in May 2014.
• Established persistent backdoors using PlugX/Sakula malware common to Chinese MSS-attributed operations.
• When OPM detected and tried to remediate the initial breach in mid-2014, they did not fully evict the operators — who simply relocated within the network and continued operating.
• Spent months exfiltrating SF-86 forms and fingerprint records.

Detection finally came in April 2015, after CyTech installed a network-monitoring tool during a sales demonstration that flagged active C2 traffic. Eleven months of dwell time had passed since the initial intrusion.

Impact

• 21.5 million individuals had their full SF-86 background investigation files exposed.
• 5.6 million had fingerprint records stolen.
• OPM Director Katherine Archuleta resigned five days after the second disclosure.
• The agency spent over $133 million on remediation and credit monitoring, plus additional hundreds of millions on a CDM (Continuous Diagnostics and Mitigation) overhaul and a new background-investigation system.
• The House Oversight Committee's bipartisan post-mortem concluded that the breach "compromised national security for a generation."
• The Department of Defense took over background investigations from OPM (via the renamed Defense Counterintelligence and Security Agency, DCSA), reflecting structural distrust of OPM as a clearance host.

Attribution

U.S. intelligence community public attribution points to Chinese state actors, with Mandiant, CrowdStrike, and U.S. government statements consistently naming the MSS as the responsible service. The same actor cluster has been associated with the 2014–2018 Marriott / Starwood breach, the 2015 Anthem breach, and the 2017 Equifax breach — a pattern interpreted as a Chinese strategic intelligence collection program targeting U.S. personal-records-rich data sources to build comprehensive dossiers on cleared personnel.

No individual MSS officer has been publicly indicted for OPM specifically.

Why it matters

OPM is the canonical case for state cyberespionage causing irreversible national-security loss. Unlike financial breaches, which are recoverable, the data stolen from OPM cannot be un-stolen — the SF-86 forms are permanent dossiers on cleared personnel and remain operationally useful to any foreign intelligence service for decades.

The incident reshaped U.S. policy on several axes:

• Mandatory federal IT modernisation (the IT Modernization Fund, established 2017).
• Restructuring of the federal personnel security ecosystem (OPM → DCSA).
• CISA's establishment in 2018 as the federal-civilian cybersecurity coordinator, with the OPM breach as a primary motivating case.
• The concept of "data adversaries can never give back" as a distinct category of cyber loss, separate from operational disruption or financial theft.