The Office of Personnel Management announced today that 21.5 million people were affected by the second cyber breach of its background investigation databases.
“Since learning of the incident affecting background investigation records, OPM and the interagency incident response team have moved swiftly and thoroughly to assess the breach, analyze what data may have been stolen, and identify those individuals who may be affected,” an OPM release said. “The team has now concluded with high confidence that sensitive information, including the Social Security Numbers (SSNs) of 21.5 million individuals, was stolen from the background investigation databases. This includes 19.7 million individuals that applied for a background investigation, and 1.8 million non-applicants, predominantly spouses or co-habitants of applicants.”
Some of the records affected include interviews conducted by background investigators along with approximately 1.1 million fingerprints. During an afternoon press briefing, OPM Director Katherine Archuleta elaborated on the information exposed during the second cyber breach.
“OPM has determined that the types of information in these records include identification details such as Social Security numbers; residency and educational history; employment history; information about immediate family and other personal and business acquaintances; health, criminal and financial history; and other details,” Archuleta said.
In addition, user names and passwords that individuals used to complete their background application forms were stolen. And the 21.5 million total includes the theft of 3.6 million individuals’ personnel records.
“There is no information at this time of any misuse or further dissemination of the information that was stolen from OPM’s system,” Archuleta said. “There is no evidence that separate systems that store information regarding the health, financial, payroll and retirement records of federal personnel are impacted by the incident.”
This second cyber breach is “separate but related” to a previous cyber breach discovered in April that OPM concluded affected 4.2 million people, the agency said in its release. It’s not yet clear how many individuals were victims in both breaches.
What has come to light is that when individuals underwent background checks matters quite a bit in relation to whether they’re part of the 21.5 million. OPM said if their background check took place in 2000 or afterwards it is “highly likely” that they are in the impacted group; if before 2000, they “may be impacted, but it is less likely.”
Next steps for the 21.5 million affected
To help the victims, Archuleta said her agency will be providing a suite of credit and identity theft monitoring and protection services for both background investigation applicants and non-applicants whose sensitive information was stolen. The protections will be provided for at least three years free of charge.
“Individualized notification packages offering these services, with further details on the incident, will be sent in the coming weeks,” Archuleta wrote in a blog post. “We will be incorporating lessons learned and feedback from stakeholders about the notification process just completed for a related cybersecurity incident.”
Archuleta’s agency is also developing “a proposal for types of credit and identity theft monitoring services that should be provided to all federal employees in the future,” she said.
In response, the Professional Services Council released a statement saying that the administration is “taking the right steps to protect all affected parties.”
“They’re doing now what we urged them and our member companies to do before this announcement, which is to offer a full array of identity theft monitoring tools to give those at risk peace of mind in this disturbing and difficult time,” PSC president and CEO Stan Soloway said.
Going forward, OPM is establishing both a call center and an online incident resource center to offer more information and materials. The call center is not yet open. But in the meantime, individuals can go to (https://www.opm.gov/cybersecurity), which will be regularly updated.
The White House this afternoon, in light of the news, reiterated its dedication to ward off cyber threats by listing off its efforts during the past six months. These include holding the White House Summit on Cybersecurity and Consumer Protection, and the Department of Homeland Security’s continual development of a system to automate the sharing of cyber threat indicators between the private sector and government.
Criticism of OPM continues:
Others are voicing more criticism, noting that the hack has turned out to be six times larger than OPM initially reported. Sen. Ron Johnson (R-Wis.), chairman of the Senate Committee on Homeland Security and Governmental Affairs, said the announcement confirmed what the media and FBI have been saying for the past month.
“Today’s announcement shows not only that cybersecurity on federal agency networks has been grossly inadequate but that the management of the OPM is not up to the task of fixing the problem,” Johnson said, via a statement. “he agency and the administration have not even been able to correctly define the scope of the problem. This will have grave consequences for national security.”
Sen. James Lankford (R-OK), a member of the Senate Intelligence Committee and the chairman of the Senate Subcommittee on Regulatory Management and Federal Workforce, called the breach a “major national crisis.”
“The string of continuing bad news is the result of years of failed cybersecurity policy and a large bureaucratic government that is slow to respond and react to emerging threats.,” he said in a statement. “OPM’s historic inability to adapt and upgrade their processes are well documented. This is not an issue of legacy hardware, it is a problem with legacy security processes.”