Update (July 10, 12:38 p.m.): OPM Director Katherine Archuleta announced Friday that she is resigning. Read her full statement here.
The Office of Personnel Management announced Thursday that Social Security numbers and other personal data for 21.5 million individuals, including federal employees, their spouses and children, was stolen in a massive cyber hack targeting background investigation records stored by OPM.
The hack was discovered in late May and is one of two recently discovered breaches targeting OPM systems and data. The other security breach was detected in April, after hackers stole personnel data (names, Social Security numbers, training records) of 4.2 million current and former federal employees.
This is the first time we’ve heard concrete numbers from OPM on how many people were affected by the background investigation incident. If you’ve undergone a background investigation with OPM in the last 15 years, it is “highly likely” that you were impacted by the breach, according to OPM. “If an individual underwent a background investigation prior to 2000, that individual still may be impacted, but it is less likely.”
Here’s a brief summary from OPM of background investigation data that was stolen:
“Social Security numbers; residency and educational history; employment history; information about immediate family and other personal and business acquaintances; health, criminal and financial history; and other details. Some records also include findings from interviews conducted by background investigators and fingerprints. Usernames and passwords that background investigation applicants used to fill out their background investigation forms were also stolen.”
Although Director of National Intelligence James Clapper has publicly named China as the leading suspect in the OPM hacks, other administration officials have declined to point the finger at the Chinese.
But the U.S. government’s investigation indicates that the hacks were carried out by the same actor moving between different networks, Andy Ozment, Assistant Secretary for the Department of Homeland Security’s Office of Cybersecurity & Communications, told reporters Thursday. Hackers broke into the network using a stolen username and password of a government contractor.
“I truly understand the impact this has on our current and former federal employees, our military personnel and our contractors,” OPM Director Katherine Archuleta told reporters. “Each and every one of us at OPM is committed to protecting the safety and security of the information that is placed in our trust, and we remain committed to do everything in our power to assist those that have been impacted by this incident, and we will continue with my strategic plan to safeguard our systems and data.”
OPM will begin notifying affected individuals in the coming weeks and provide them with details on the incident and information on how to access these services.
With today’s announcement there’s a lot of additional information to digest, so I’ve listed key stats below to help you understand what this all means for you, your family and acquaintances.
21.5 million current, former, and prospective civilian and defense employees and contractors were affected in the background investigation breach. This includes individuals who submitted forms SF 86, SF 85, or SF 85P for a new investigation or periodic reinvestigation. Spouses, co-habitants and children whose sensitive data was included in those forms were also affected. These forms may also include less sensitive data (names, birthdates and addresses) about immediate family members and close friends. For those individuals, OPM said it will provide best practices for them to protect themselves and information about publicly available resources to address their concerns (free monitoring services will not be provided to these individuals). To clarify, this breach of background investigations data was discovered in late May.
1.1 million fingerprints were stolen in the background investigations breach, including records with findings from interviews conducted by background investigators.
19.7 million of the affected 21.5 million individuals were those who applied for a background investigation.
1.8 million of the affected 21.5 million individuals were non-applicants, mainly spouses or co-habitants of applicants.
3.6 million of the affected 21.5 million individuals were those whose data was also stolen in the first breach involving personnel records for 4.2 million people.
4.2 million current and former federal civilian employees at executive branch agencies, including the Department of Defense, were impacted by the breach involving personnel records. This is the breach that OPM discovered in April and announced in early June. Here’s the data hackers stole: names, Social Security numbers, birthdates, place of birth, current and former addresses, job assignments, training records, benefit selections.
3 years is the minimum length of time that OPM will provide free monitoring and protection services for background investigation applicants and non-applicants whose Social Security numbers and other sensitive information were stolen. OPM and the Defense Department are working with a private company to provide affected individuals full service identity restoration support and victim recovery assistance, identity theft insurance, identity monitoring for minor children, continuous credit monitoring, and fraud monitoring services beyond credit files. Archuleta said the agency is working closely with interagency partners to decide whether the services for identity theft protection should be a part of a benefit package for all feds — regardless of whether they were impacted by the breaches.
90 days is the time period set for an interagency review of key questions related to information security, governance, policy, and other aspects of the security and suitability determination process. The goal is to ensure that it is conducted in an efficient, effective and secure manner. OPM will be involved in this review.
30-day cybersecurity sprint, announced last month by Federal Chief Information Officer Tony Scott, is winding down. Agencies were given 30 days to speed adoption of key security features, including multi-factor authentication. This requires the use of additional information (beyond usernames and passwords), such as PIV cards, tokens or biometrics to verify an individual’s identity. Federal civilian agencies have increased multi-factor authentication use for privileged users by 20 percent within the first 10 days of the sprint, according to Scott. Several agencies now have multi-factor authentication in place for all of their privileged users, which include system administrators.
40,000 systems have been scanned by DHS for critical vulnerabilities, and that number is growing. Federal agencies use data from those scans to patch vulnerabilities as they are identified.
For more information about the breach and updates from OPM, check out https://www.opm.gov/cybersecurity.