Mon Jan 1, 0001

Identity Verification: Data Breaches and Conflicts of Interest

OPM Breach (2014-2015)

What Was Exposed

22.1 million records total (revised upward multiple times). Includes 21.5 million SF-86 security clearance forms (finances, mental health, foreign contacts, sexual history, drug use, family members, associates) and 5.6 million fingerprint records. SSNs for all affected. Attributed to Chinese state actors (Jiangsu State Security Department, MSS subsidiary).

Staggered Disclosure

  • March 2014: First breach detected (later revealed to have begun December 2013 via USIS contractor systems)
  • July 9, 2014: NYT publicly revealed intrusion (“Chinese Hackers Pursue Key Data on U.S. Workers”). OPM sent email to workers same day.
  • June 4, 2015: OPM publicly disclosed second, larger breach. Initially stated 4 million affected.
  • June 2015: FBI Director Comey confirmed ~18 million affected — over 4x the initial number.
  • July 9, 2015: OPM announced 21.5 million affected in second breach.
  • Late Friday, July 10, 2015: OPM Director Katherine Archuleta resigned.

Numbers revised upward at each disclosure. Each announcement came separately, spreading the impact across multiple news cycles.

Foreign Nationals Processing Clearance Data

A consultant working with an OPM-contracted company found:

  • Unix systems administrator physically located in Argentina
  • Co-worker physically located in the People’s Republic of China
  • Both had direct access to every row of data in every database
  • Another team working with these databases had two members holding PRC passports

Source: https://raysemko.com/2015/06/20/encryption-useless-when-opm-hires-foreign-contractors/

USIS Contractor

USIS (established 1996 from privatization of OPM’s investigative branch) held five-year contract for background check investigations for 95+ federal agencies. USIS detected breach of its own networks dating to December 2013, notified OPM June 2014. OPM later terminated USIS contract.

House Oversight Report

“The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation” — documented systemic security failures including lack of encryption, no multi-factor authentication, and failure to implement IG recommendations spanning years.

Source: https://oversight.house.gov/report/opm-data-breach-government-jeopardized-national-security-generation/ Source: https://en.wikipedia.org/wiki/Office_of_Personnel_Management_data_breach Source: https://www.nextgov.com/cybersecurity/2015/06/timeline-what-we-know-about-opm-breach/115603/

Equifax Breach (2017)

147 million Americans: names, SSNs, birth dates, addresses, driver’s license numbers. $700M settlement.

Aadhaar (India)

Biometric ID system, 1.3+ billion people.

  • January 2018: Tribune News Service purchased access to full database for 500 rupees (~$7) via WhatsApp-advertised service
  • March 2018: leak at state-owned utility (Indane/IOCL) exposed millions of Aadhaar numbers and demographic data
  • 2019: Comparitech found unsecured database exposing 275 million Indians' Aadhaar details

CLEAR (Airport Biometric)

August 2021: researchers disclosed kiosk software exposed customer data (photos, partial IDs) to unauthorized access. Reported by Vice/Motherboard. CLEAR collects fingerprints, iris scans, facial images. Private company operating in public airport infrastructure with TSA partnership.

Voter Registration Databases

  • December 2015: researcher Chris Vickery found 191 million US voter records exposed on unsecured database (names, addresses, DOBs, party affiliation)
  • June 2017: Deep Root Analytics (GOP contractor) exposed 198 million voter records on unprotected Amazon S3 bucket

Persona

Identity verification company used by Square, Coursera, Postmates. Collects government IDs, selfies, SSNs, address data. No major public breach to date.

The Red Queen Effect: Escalating Identity Verification

Each major breach renders the stolen identity data permanently compromised. The response is always to raise the verification bar — requiring more data, more biometrics, more invasive checks — which creates richer honeypot targets for the next breach.

Cycle:

  1. Breach exposes SSNs → SSN no longer sufficient for identity verification
  2. Systems add knowledge-based authentication (KBA) → breached data makes KBA trivially answerable by attackers
  3. Systems add photo ID upload → deepfakes and document forgery improve
  4. Systems add biometric selfie matching → biometric databases become targets
  5. Biometric databases get breached (OPM fingerprints, Aadhaar) → biometrics cannot be changed or reissued unlike passwords

Each escalation demands collecting MORE sensitive data from MORE people, stored in MORE centralized databases, creating MORE attractive targets. The verification treadmill never makes anyone safer — it just raises the stakes of the next breach.

Key data points:

  • OPM (2015): 5.6 million fingerprints stolen. Fingerprints cannot be rotated.
  • Equifax (2017): 147M SSNs. SSN is now functionally public information for half of Americans.
  • Aadhaar: biometric data for 1.3 billion people, breached repeatedly.
  • Each breach increases pressure to adopt the NEXT layer of verification, which collects the NEXT layer of sensitive data.

Sources

  • OPM breach: various (disclosed June 2015)
  • Tribune News Service (January 2018) on Aadhaar
  • Vice/Motherboard on CLEAR (August 2021)
  • Chris Vickery disclosure (December 2015)
  • Deep Root Analytics (June 2017)