The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Lawyers are nearing a settlement deal for the infamous 2015 OPM hack

The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Welcome to the Cybersecurity 202! HBO’s Julia Child biopic “Julia” is fantastic and I give it my strongest recommendation. The only drawback is it looks as if Jacques Pepin won’t be introduced until Season 2 at the earliest. 

Below: The State Department is offering $15 million for information about the Conti ransomware gang, and a U.S. tractor maker was hit with a ransomware attack.

Some of the government workers whose data was breached in 2015 could share $63 million

Attorneys are closing in on a settlement deal that could deliver up to $63 million to some victims of one of the most cataclysmic data breaches in history.

The settlement, if approved by a judge, would end a seven-year legal effort to win compensation for more than 21 million current and former federal employees who were victims of the hack of the Office of Personnel Management (OPM) in 2015, which intelligence officials say was almost certainly perpetrated by the Chinese government.

The OPM breach marked a devastating blow to the U.S. government’s reputation for cybersecurity and sparked intense anger among many victims — largely because the breached information was intensely personal. It included background check forms that delved into victims’ financial and romantic lives as well as Social Security numbers and — in a subset of about 5.6 million cases — fingerprint information.

OPM victims have faced a number of hurdles, including legal precedents that make it difficult or impossible to win compensation from data breaches that don’t create direct economic loss. That’s a high bar for OPM victims because the breach appears to have been for espionage purposes and there’s no definitive evidence any of the stolen data was ever used for cybercrime. 

  • A plaintiff’s lawyer described the proposed settlement deal, which was filed Friday, as the best possible outcome for victims, while acknowledging that legal limitations made it far narrower than many breach victims would like.

The proposed settlement would only compensate a subset of victims who can prove they suffered actual financial losses from the breach. Examples include if victims paid out of pocket for identity theft protection, paid to freeze or unfreeze their credit or believe their data was used in an identity theft scheme. 

Victims who meet those criteria will receive at least $700 and up to $10,000 under the proposed deal.

  • “Under the circumstances that we faced, we think it’s pretty darn good,” Jordan Elias, a lawyer for the plaintiffs, told us.

Attorneys initially sought compensation for a larger group of OPM victims, but a U.S. district court judge dismissed the case in 2019. It was revived by a federal appears court with the narrower focus. 

It’s not clear how many OPM victims will meet those criteria. But it’s likely to be only a small portion of the 21.5 million total victims. 

  • The government has paid to make credit monitoring and identity theft protection available to all OPM victims through at least 2025, so presumably relatively few people bought those things on their own.
  • There have been periodic suggestions that breached OPM data has made its way to cybercriminals and been used for identity theft, but those claims have never been proven. Even if some of the OPM data was ultimately used for cybercrime, it’s notoriously difficult to trace the origin of identity theft data because most people’s personal data has been exposed in numerous breaches.

A plaintiff’s brief in favor of the settlement describes the payments as “generous” and notes the lawyers would face long odds getting such a deal through litigation. Among other challenges, OPM would likely refuse to disclose information about its data security practices because of national security concerns.

“This case, arising from cyber intrusions into federal databases, has always involved unique risks and challenges, and the settlement provides Class members with all or more than they reasonably could expect from the litigation,” the brief states.

The OPM breach was a watershed moment for government cybersecurity. 

  • First, there was the immense scope of the stolen information. Cyber analysts speculated that Chinese officials planned to use the data, along with information stolen from the insurer Anthem, to create a database of Americans in sensitive government positions and ways they might be susceptible to bribery or blackmail.
  • The OPM hack also spurred U.S. officials to get far tougher on Chinese hacking, including floating the idea of imposing sanctions for the breach.
  • That pressure campaign helped produce a deal former president Barack Obama struck with Chinese President Xi Jinping later that year to bar commercial hacking between the nations. The deal largely fell apart early in the Trump administration, but not before China arrested hackers it claimed were responsible for the OPM breach.

The keys

U.S. government dangles $15 million in rewards for information about Conti ransomware gang

It’s part of a broader attempt to strike back at the notorious gang, which is responsible for “the costliest strain of ransomware ever documented,” State Department spokesman Ned Price said. The group’s ransomware has targeted Ireland’s health-care system and Costa Rica’s government.

The State Department has offered similar rewards for information on two other ransomware gangs through its transnational crime rewards program. Those groups — DarkSide and Sodinokibi, also known as REvil — were responsible for a string of infamous hacks: DarkSide hacked Colonial Pipeline, while REvil hacked the world’s largest meat supplier, JBS Foods, and Kaseya, an IT firm.

The State Department has also gone after hackers through a different rewards program, which has pursued government-backed hackers to further U.S. national security. Under that program, it has sought information on:

  • Iranian hackers who allegedly stole voter data and hacked a news organization
  • The Russian hackers allegedly behind attacks on Ukraine’s power grid and the 2018 Winter Olympics
  • Russian hackers who targeted critical energy firms worldwide
  • Government-backed hackers targeting critical firms like pipelines and hospitals
  • North Korean hackers

Treasury Department sanctioned a cryptocurrency mixer for the first time

The sanctioned firm, called Blender, obscures cryptocurrency ownership by pooling digital assets together, Tory Newmyer reports. Russian ransomware groups and North Korean hackers have used the service to launder the proceeds of their cyberattacks, the Treasury Department said. Blender didn’t respond to a request for comment.

Context: The move comes as the U.S. government tries to pursue a $600 million cryptocurrency haul stolen by North Korean hackers from a video game in March. The hackers in that case used another mixer called Tornado Cash to launder some of the hacked cryptocurrency, my colleagues reported.

In April, the U.S. government blamed the Lazarus Group for the hack. The North Korean hacking gang was also responsible for the 2014 hacking of Sony Pictures Entertainment, authorities said.

A major U.S. tractor maker was hit by ransomware

The cyberattack affected some of tractor maker AGCO’s production plants and the company expects its operations to be “adversely affected for several days and potentially longer," the company said. More than 75 percent of ACGO's 2021 sales were in North America and Europe, according to its annual report.

The hack comes at a tough time for the agriculture industry. 

  • The industry is facing a shortage of workers and parts, as well as increasing inflation, Reuters reported in March. 
  • Last month, the FBI warned that hacking groups could target agricultural co-ops during important seasons for the industry. In September, it warned that manufacturers could be among the firms targeted.

Chat room

Elon Musk pledged to focus Twitter on information security and “hardcore software engineering” if he completes his purchase of the social network. Among possible, projects, Musk has said he’d like to ramp up encryption on Twitter direct messages. 

Musk also pledged to ban Twitter spam bots, but he’s benefited from them in the past, Joseph Menn and Cat Zakrzewski report.  

Global cyberspace

Pro-Russian hackers hit German government sites, Spiegel says (Bloomberg)

U.S. targets Russian TV stations in new sanctions (Axios)

Securing the ballot

Audit the Vote gave us its canvassing data to check the results. It was riddled with errors (LNP | LancasterOnline)

Government scan

Transportation proposes near $1M fine for Colonial Pipeline one year after hack (NextGov)

National security watch

The Pentagon wants to prevent personnel data tracking, breaches (FCW)

Cyber insecurity

Crypto bridge heists swiping $1 billion spur race for alternatives (Bloomberg)


  • Director of National Intelligence Avril Haines and Scott Berrier, who leads the Defense Intelligence Agency, testify on worldwide threats at a Senate Armed Services Committee hearing Tuesday at 9:30 a.m.
  • A House Science Committee panel holds a hearing on open-source software cybersecurity Wednesday at 10 a.m.

Secure log off

Thanks for reading. See you tomorrow.