Federal Bureau of Investigation Director James Comey admitted on Tuesday that more than 18 million current, former and prospective federal employees were affected by the recent cyber-attack at the Office of Personnel Management. The agency previously publicly acknowledged that only 4.2 million were affected. Those affected could include people who applied for government jobs, but never actually ended up working for the government. The same hackers who accessed OPM’s data are believed to have last year breached an OPM contractor, KeyPoint Government Solutions, U.S. officials said. When the OPM breach was discovered in April, investigators found that KeyPoint security credentials were used to breach the OPM system.
During a brief tense exchange, OPM Director Katherine Archuleta refused to blame anyone in her agency. Archuleta said only the perpetrators should be blamed — she said current failures result from decades of meager investment in security systems, but said changes are being made and in fact helped detect the latest breaches.
During the Senate committee hearing on Tuesday, Archuleta testified that a second hack indeed exposed more individuals, though she said its “scope” and “impact” have not yet been determined. She said this separate incident has affected files related to background investigations for “current, former and prospective government employees.” Amid concerns that those affected have been left in the dark, Archuleta said the government would be notifying those whose information may have been compromised “as soon as practicable.”
It was reported earlier that officials, in the second hack, were concerned information may have been stolen from a document known as Standard Form 86, which requires applicants to fill out deeply personal information about mental illnesses, drug and alcohol use, past arrests and bankruptcies. They also require the listing of contacts and relatives, potentially exposing any foreign relatives of U.S. intelligence employees to coercion. Both the applicant’s Social Security number and that of his or her cohabitant is required.
Some American officials have pointed fingers at China in at least one of the breaches. The revelations and Tuesday’s hearing comes while Secretary of State John Kerry is participating in a U.S. – China economic dialogue. A major union said it believes the hackers stole Social Security numbers, military records and veterans’ status information, addresses, birth dates, job and pay histories; health insurance, life insurance and pension information; and age, gender and race data.
OPM’s internal auditors told a House Oversight Committee that databases holding national security data including applications for background checks failed at reaching security standards. “Not only was a large volume (11 out of 47 systems) of OPM’s IT systems operating without a valid Authorization, but several of these systems are among the most critical and sensitive applications owned by the agency,” Michael Esser, OPM’s assistant inspector general for audits, wrote in testimony prepared for committee.