OPM's 2nd Breach: 21.5 Million VictimsMembers of Congress Intensify Criticism of Agency (Editor's Note: Katherine Archuleta resigned July 10 as director of the Office of Personnel Management. See the latest update for more information.)
A federal government forensics investigative team concludes with "high confidence" that hackers stole the personally identifiable information of 21.5 million individuals in the breach of U.S. Office of Personnel Management computers that contained security clearance information.
The breach of the security-clearance system, publicly revealed on June 12, was one of two separate, but related cyber-attacks against OPM systems the government disclosed this spring. An earlier attack, announced on June 4, targeted a personnel system in which the personal information of 4.2 million federal employees and retirees was stolen, according to OPM. Some 3.6 million individuals were affected in both breaches, according to several news media reports.
The latest OPM announcement intensified the criticism of the agency for its handling of the breach. House Oversight Committee Chairman Jason Chaffetz, R-Utah, renewed his call for the resignation of OPM Director Katherine Archuleta and CIO Donna Seymour, saying they have "consciously ignored the warnings and failed to correct these weaknesses. Their negligence has now put the personal and sensitive information of 21.5 million Americans into the hands of our adversaries. Such incompetence is inexcusable."
Senate Homeland Security Committee Chairman Ron Johnson, R-Wis., says the latest announcement "shows not only that cybersecurity on federal agency networks has been grossly inadequate but that the management of the OPM is not up to the task of fixing the problem. The agency and the administration have not even been able to correctly define the scope of the problem. This will have grave consequences for national security."
The ranking member of the Senate Homeland Security Committee, Democrat Tom Carper of Delaware, was less critical of OPM than his Republican colleagues, saying it should be a government-wide effort to mitigate OPM-type breaches. "We need to come together - in Congress, the administration and across federal agencies - and launch an all-hands-on-deck effort to secure our federal networks," Carper says. "Too many malicious cyber-hackers are good at what they do, and they're getting better all the time. On the heels of this news, we need to act with urgency to bolster our cyber-defenses across our federal agencies. We owe it to these millions of individuals - and to the American public - to begin restoring their confidence in our government's ability to keep their personal information safe and secure."
Meanwhile, Archuleta posted a blog in which she outlined numerous steps OPM is taking to be more transparent about cybersecurity. "It is critical that all of OPM's constituents, most importantly, those who are directly impacted by these breaches, receive information in a timely, transparent and accurate manner," Archuleta says. "As I have said before, we take these incidents extremely seriously and, accordingly, are taking a number of steps to address both our cybersecurity and our process going forward."
Spouses' PII Also Exposed
According to an OPM statement, pilfered information in the second breach included the Social Security numbers of 19.7 million applicants and 1.8 million non-applicants, mostly spouses or partners of applicants. Information regarding residency, education history, employment history, immediate family members, personal and business acquaintances, health, finances and criminal history also was exposed in the breach. Forensic investors concluded that findings from interviews conducted by background investigators and 1.1 million fingerprints were stolen as well.
While background investigation records contain some information regarding mental health and financial history provided by security-clearance applicants and by individuals contacted during background investigations, OPM says it has no evidence that separate systems that store information regarding the health, financial, payroll and retirement records of federal personnel were affected by this breach.
The government says it's highly likely that individuals who applied for security clearances through OPM using Standard Form 85, 85P or 86 in 2000 or thereafter would have had their PII exposed. OPM says it was less likely, though possible, that those seeking background clearance prior to 2000 might have had their PII stolen.
Free Monitoring for Three Years
OPM says that for the 21.5 million background investigation applicants, spouses or partners whose PII was stolen, the government will provide three years of free services through a private firm. Those services include identity restoration support and victim recovery assistance, identity theft insurance, identity monitoring for minors, continuous credit monitoring and fraud monitoring services.
To keep federal employees informed, Archuleta announced that the agency has established an online cybersecurity incident resource center to offer information regarding materials, training and other information on best cyber practices.
To date, the White House has not attributed the OPM hack to any person or state, but is has acknowledged that it is weighing sanctions. U.S. Director of National Intelligence James Clapper, however, has noted that the "leading suspect" behind the attack is China. The Chinese government, however, has denied having any involvement in the hack attack.
Second Union Sues OPM
As the reported scope of the breach continues to expand, so do the political and legal repercussions. Last month, the American Federation of Government Employees union, which represents 670,000 employees, filed a class-action lawsuit against both OPM and multiple OPM officials (see OPM Suspends Background Check System).
Now, the National Treasury Employees Union, which represents 150,000 employees, has filed a breach-related suit against OPM. Its lawsuit, filed July 8, alleges that the agency violated NTEU members' constitutional rights by failing to safeguard their personal information (see Why So Many Data Breach Lawsuits Fail).
"Federal employees entrust highly personal information to OPM with the expectation that it will be kept confidential and safe from unauthorized access," says NTEU President Colleen M. Kelley. "OPM's failure to do so violated our members' constitutional right to informational privacy."
The union is demanding that OPM provide all NTEU members with lifetime credit-monitoring services and identity theft protection, pursue steps to better secure its security infrastructure and not collect any electronic data from NTEU members until a court signs off on the agency's information security upgrades.
"We believe that a lawsuit is the best way to force OPM to take immediate steps to safeguard personnel data, prevent such attacks in the future and help our members protect themselves against the fallout," Kelley says.