An investigation by the House Oversight and Government Reform Committee into the massive Office of Personnel Management (OPM) breach confirms that it was OPM who first discovered the breach, and not a contractor during the course of demonstrating its product days later.
According to documents reviewed by the committee and described in a May 26 letter from Ranking Member Elijah Cummings, Brendan Saulsbury, an OPM contract engineer, discovered the breach on April 15 or 16, 2015.
The government had previously issued a timeline of the incident which had compromised information on 22 million employees, but there had been some claims that the breach was first detected by CyTech during a product demonstration. The committee’s report confirmed the government’s previous claims about discovery.
Saulsbury was working in OPM’s Security Operations Center at the time, and testified that they had detected “malware beaconing out to a command and control center from, at the time, two different servers.” The malware, a DLL executable file called “mcutill.dll,” had been disguised as McAfee antivirus files. Because OPM didn’t use McAfee, it stood out and was quickly spotted, he stated.
So as bad as the breach was, at least OPM can assert that it discovered the breach through its own security.