Security Experts:

Connect with us

Hi, what are you looking for?



OPM Suspends Background Check System to Patch Security Bug

The U.S. Office of Personnel Management (OPM) announced on Monday that it has temporarily suspended its Electronic Questionnaires for Investigations Processing (e-QIP) system after discovering the existence of a security bug.

The U.S. Office of Personnel Management (OPM) announced on Monday that it has temporarily suspended its Electronic Questionnaires for Investigations Processing (e-QIP) system after discovering the existence of a security bug.

Following the recent data breach, in which attackers are said to have gained access to the details of as many as 18 million federal employees, the OPM started conducting a comprehensive security review of its IT systems.

The audit revealed the existence of a vulnerability in e-QIP, a web-based system used to conduct background checks for federal security, fitness, suitability, and credentialing purposes.

According to the OPM, the temporary shutdown of the e-QIP system is not related to the recent breach; it is a proactive step taken to ensure the security of the organization’s network. There is no evidence that the security flaw uncovered during the review has been exploited, the agency said.

“The security of OPM’s networks remains my top priority as we continue the work outlined in my IT Strategic Plan, including the continuing implementation of modern security controls,” stated OPM Director Katherine Archuleta. “This proactive, temporary suspension of the e-QIP system will ensure our network is as secure as possible for the sensitive data with which OPM is entrusted.”

The background investigations system will be offline for 4-6 weeks while security enhancements are put into place.

The attackers that targeted OPM are said to have gained unauthorized access to personally identifiable information (PII), records and other sensitive data belonging to millions of current, past and prospective federal employees.

While OPM officials haven’t said anything about who is behind the attack, actors sponsored by the Chinese government have been the prime suspect from day one. China was also named the “leading suspect” by Director of National Intelligence James Clapper at a conference in Washington last week.

China is often blamed for cyberattacks against United States organizations, but the country has constantly denied any involvement. Last week, US and Chinese officials met in Washington and once again held talks on hacking.

The American Federation of Government Employees (AFGE) has filed a class action lawsuit against the OPM, its director, and its chief information officer. The complaint also names KeyPoint Government Solutions, a private contractor that handled a majority of OPM’s background checks. KeyPoint announced suffering a data breach in December 2014.

The AFGE has pointed out that the audits conducted by the OPM’s Office of Inspector General over the past years have revealed the existence of several security issues. The report published by the OIG in November 2014 revealed that the cyber security deficiencies “could potentially have national security implications.”

The AFGE said the OPM failed to take proper measures to protect sensitive information despite knowing of the KeyPoint hack and the security weaknesses that plagued its own systems.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.