On July 9 the U.S. Office of Personnel Management (OPM) finally updated the country about the severity of a breach that was first announced in June 2015. In a press release they reported that the second breach now affects 21.5 million which includes 19.7 million individuals who applied for a security clearance background checks starting in 2000, and 1.8 million non-applicants such as spouses, partners and family members. The total did not include the four million from the first breach.
Hackers had access to sensitive information that could be used for identity theft or cyber-espionage. Social Security Numbers, residency and educational history, employment history, information about immediate family and other personal and business acquaintances, fingerprints, and health, criminal and financial history were all the breached files. Some records also include findings from interviews conducted by background investigators that discussed mental health treatments, sexual assaults, and drug and alcohol addictions. Usernames and passwords that the applicants used to fill out their SF-86 127-page background investigation forms were also stolen.
Giving people a sense of the vulnerability these 25 million people feel, FBI Director James Comey released a statement regarding the breach. “If you have my SF-86, you know every place I’ve lived since I was 18, contact people at those addresses, neighbors at those addresses, all of my family, every place I’ve traveled outside the United States since I was 18.” Comey added, “If I had substantial contact with any non-United States person, it’s on there, along with the contact information of that person. Just imagine you were a foreign intelligence service and you had that data, how it might be useful to you. So it’s a big deal.”
The new numbers expanding the scope of the cyber attack come one day after FBI Director Comey called the hack an “enormous breach” to the U.S. Senate Intelligence Committee, saying “millions and millions” of government records were stolen, including his own. The two OPM breaches have triggered numerous hearings in the Senate and House. “Since at least 2007, OPM leadership has been on notice about the vulnerabilities to its network and cybersecurity policies and practices,” House Oversight Committee Chairman Jason Chaffetz (R-UT) said in a statement and added, ” Such incompetence is inexcusable.” Other members expressed their indignation and called the recall or resignations of the agency’s leadership.
In the meantime OPM Director Katherine Archuleta and Chief Information Officer Donna Seymour are working on damage-control. Labor groups and the U.S. Treasury employees have claimed the breach a violation of the constitutional right to privacy and have filed lawsuits in the last two weeks seeking lifetime credit monitoring. The credit monitoring company that was contracted to help has been overwhelmed by calls and emails which only increases the ire of the people seeking answers.
As of July 9 OPM’s website has several sections addressing the two breaches. In the newest press release they included information about the steps they plan to take and promised new information will be available in a “timely, transparent, and accurate manner.” “Today, OPM launched a new, online incident resource center – located at https://www.opm.gov/cybersecurity – to offer information regarding the OPM incidents as well as direct individuals to materials, training, and useful information on best practices to secure data, protect against identity theft, and stay safe online.”
Several high-ranking officials in federal agencies and Congress have raged about the failure of OPM to address weaknesses in their computer systems as pointed out by the Inspector General of OPM. Some on Capitol Hill might even be shaking their heads upon reading OPM Director Katherine Archuleta’s July 9 blog.
In it she talks about sharing information on best cyber practices. “I have brought to OPM experts in cyber security and management from both inside and outside of government. In particular, I have created a new cybersecurity advisor position. OPM has established an online cybersecurity incident resource center to offer information regarding materials, training, and useful information on best cyber practices. I have also initiated a comprehensive review of the security of OPM’s IT systems to identify and immediately mitigate any other vulnerabilities that may exist. That review is ongoing.”
Is this the largest U.S. data breach? Technically, several credit card breaches have affected more people but the damage is limited primarily on the card issuers. Could it be the worst? Only time will tell if the stolen information will be used or exploited..
This story is breaking and will be updated.