OPM Announces More Than 21 Million Affected by Second Data Breach

The federal personnel agency finally announced Thursday the scope of a massive hack of security-clearance information first revealed last month.

Office of Personnel Management Director Katherine Archuleta testifies on Capitol Hill in Washington.
Dustin Volz and Kaveh Waddell
Add to Briefcase
Dustin Volz and Kaveh Waddell
July 9, 2015, 11:11 a.m.

More than 21 mil­lion So­cial Se­cur­ity num­bers were com­prom­ised in a breach that af­fected a data­base of sens­it­ive in­form­a­tion on fed­er­al em­ploy­ees held by the Of­fice of Per­son­nel Man­age­ment, the agency an­nounced Thursday.

This hack is sep­ar­ate from the breach of OPM data that com­prom­ised 4.2 mil­lion So­cial Se­cur­ity num­bers and was made pub­lic in June. Of­fi­cials have privately linked both in­tru­sions to China.

Of the 21.5 mil­lion re­cords that were stolen, 19.7 mil­lion be­longed to in­di­vidu­als who had un­der­gone back­ground in­vest­ig­a­tions, OPM said. The re­main­ing 1.8 mil­lion re­cords be­longed to oth­er in­di­vidu­als, mostly ap­plic­ants’ fam­il­ies.

3.6 mil­lion people were af­fected by both breaches, OPM press sec­ret­ary Sam Schu­mach said Thursday night, bring­ing the total num­ber of in­di­vidu­als af­fected by the pair of OPM hacks to 22.1 mil­lion.

The re­cords that were com­prom­ised in the breach an­nounced Thursday in­clude de­tailed, sens­it­ive back­ground in­form­a­tion, such as em­ploy­ment his­tory, re­l­at­ives, ad­dresses, and past drug ab­use or emo­tion­al dis­orders. OPM said 1.1 mil­lion of the com­prom­ised files in­cluded fin­ger­prints.

(RE­LATED: Law­maker Pledges Le­gis­la­tion to Bet­ter Pro­tect Hacked Feds as An­oth­er Uni­on Sues OPM)

Some of the files in the com­prom­ised data­base also in­clude “res­id­ency and edu­ca­tion­al his­tory; em­ploy­ment his­tory; in­form­a­tion about im­me­di­ate fam­ily and oth­er per­son­al and busi­ness ac­quaint­ances; health, crim­in­al and fin­an­cial his­tory; and oth­er de­tails,” OPM said.

Also in­cluded in the data­base is in­form­a­tion from back­ground in­vest­ig­a­tions, as well as user­names and pass­words that ap­plic­ants used to fill out in­vest­ig­a­tion forms. And al­though sep­ar­ate sys­tems that store health, fin­an­cial, and payroll in­form­a­tion do not ap­pear to have been com­prom­ised, the agency says some men­tal health and fin­an­cial in­form­a­tion is in­cluded in the se­cur­ity clear­ance files that were af­fected by the hack.

Be­sides the 21.5 mil­lion in­di­vidu­als who had their So­cial Se­cur­ity in­form­a­tion stolen, OPM says oth­ers’ identi­fy­ing in­form­a­tion—such as their names, ad­dresses, and dates of birth—also were com­prom­ised.

OPM will provide cred­it mon­it­or­ing and iden­tity-theft pro­tec­tion ser­vices to the in­di­vidu­als whose So­cial Se­cur­ity num­bers were stolen, but those in­di­vidu­als will be re­spons­ible for dis­sem­in­at­ing in­form­a­tion to oth­er people they may have lis­ted on their back­ground check forms. Those people, whom the gov­ern­ment will not con­tact dir­ectly, will not have ac­cess to gov­ern­ment-bought iden­tity-pro­tec­tion ser­vices.

The hack that res­ul­ted in the loss of these re­cords began in May 2014, ac­cord­ing to OPM Dir­ect­or Kath­er­ine Archu­leta’s testi­mony be­fore Con­gress. It was not dis­covered un­til May 2015.

(RE­LATED: A Timeline of Gov­ern­ment Data Breaches)

A se­cur­ity up­date ap­plied by OPM and the Home­land Se­cur­ity De­part­ment in Janu­ary ended the bulk of the data ex­trac­tion, ac­cord­ing to con­gres­sion­al testi­mony from Andy Oz­ment, as­sist­ant sec­ret­ary for cy­ber­se­cur­ity and com­mu­nic­a­tions at DHS, even though the breach would not be dis­covered for months.

OPM said Thursday that in­di­vidu­als who un­der­went back­ground in­vest­ig­a­tions in or after the year 2000 are “highly likely” to have had their in­form­a­tion com­prom­ised in the breach. (This in­cludes both new ap­plic­ants and em­ploy­ees that were sub­ject to a “peri­od­ic re­in­vest­ig­a­tion” dur­ing that time.) But those who were in­vest­ig­ated be­fore 2000 also may have been af­fected.

CSID, the con­tract­or that was em­ployed to send out no­ti­fic­a­tions and provide iden­tity pro­tec­tion to the 4.2 mil­lion in­di­vidu­als af­fected by the hack an­nounced in June, is not cur­rently in­volved in the no­ti­fic­a­tion pro­cess for this data breach, a spokes­man for the com­pany said.

Law­makers and of­fi­cials cri­ti­cized CSID for its hand­ling of the earli­er no­ti­fic­a­tion pro­cess, and for mak­ing many em­ploy­ees who called in with ques­tions wait on hold for hours. It was not im­me­di­ately clear what com­pany will handle the next round of no­ti­fic­a­tions.

News of the second in­tru­sion was first re­por­ted in June and was de­scribed as a po­ten­tially dev­ast­at­ing heist of gov­ern­ment data, as hack­ers seized ex­tens­ive se­cur­ity-clear­ance in­form­a­tion from in­tel­li­gence and mil­it­ary per­son­nel. OPM said at the time that it be­came aware of the second hack while in­vest­ig­at­ing the smal­ler breach.

The size of the second breach ex­ceeds most of the es­tim­ates pre­vi­ously re­por­ted in vari­ous me­dia out­lets.

The per­son­nel agency said Thursday that it has not seen any in­dic­a­tion that the stolen in­form­a­tion has been “mis­used” or oth­er­wise dis­sem­in­ated.

(RE­LATED: Wash­ing­ton Can’t Fix Com­puter Glitches)

On Wed­nes­day, FBI Dir­ect­or James Comey re­fused to provide a spe­cif­ic num­ber when asked by mem­bers of the Sen­ate In­tel­li­gence Com­mit­tee about the size of the breach. Comey did say the hack was “enorm­ous,” however, and con­firmed that his own data had been com­prom­ised.

Sev­er­al law­makers in both parties have called for the resig­na­tions of Archu­leta and Donna Sey­mour, the chief in­form­a­tion of­ficer at OPM, since the data breaches came to light last month. A rush of state­ments Thursday ad­ded to that grow­ing chor­us build­ing against Archu­leta, from House Speak­er John Boehner, House Ma­jor­ity Whip Steve Scal­ise, and Re­pub­lic­an Sens. John Mc­Cain and Marco Ru­bio, among oth­ers.

Sen. Mark Warner, who sits on the Sen­ate In­tel­li­gence Com­mit­tee and has been in­volved in the fal­lout fol­low­ing the OPM hacks, also called for Archu­leta’s ouster late Thursday.

“The tech­no­lo­gic­al and se­cur­ity fail­ures at the Of­fice of Per­son­nel Man­age­ment pred­ate this dir­ect­or’s term, but Dir­ect­or Archu­leta’s slow and un­even re­sponse has not in­spired con­fid­ence that she is the right per­son to man­age OPM through this crisis,” the Vir­gin­ia Demo­crat said in a Thursday night state­ment. “It is time for her to step down, and I strongly urge the ad­min­is­tra­tion to choose new man­age­ment with proven abil­it­ies to ad­dress a crisis of this mag­nitude with an ap­pro­pri­ate sense of ur­gency and ac­count­ab­il­ity.”

Rep. Bar­bara Com­stock, a Vir­gin­ia Re­pub­lic­an who was no­ti­fied last month that her per­son­al in­form­a­tion had been com­prom­ised in the hacks due to her pre­vi­ous roles as a fed­er­al em­ploy­ee, chided Archu­leta for dis­play­ing “com­pla­cency, apathy “… and in­com­pet­ence” in the wake of the breach.

“It goes to the top,” Com­stock said in an in­ter­view with Na­tion­al Journ­al. “This is a fail­ure of lead­er­ship on her part, and if the pres­id­ent does not have the lead­er­ship to do this, I think she should step aside.”

At least two House Demo­crats, Reps. Ted Lieu and Jim Langev­in, the co­chair of the House cy­ber­se­cur­ity caucus, also have de­man­ded Archu­leta’s re­mov­al. Lieu and Re­pub­lic­an Rep. Steve Rus­sell went a step fur­ther Thursday, an­noun­cing that they were work­ing on le­gis­la­tion that would move the se­cur­ity-clear­ance data­base out of OPM en­tirely and in­to the hands of an un­spe­cified agency “that has a bet­ter grasp of cy­ber­threats.”

Archu­leta, for her part, has re­mained res­ol­ute in the face of with­er­ing scru­tiny. Dur­ing a Thursday press call, the one­time polit­ic­al dir­ect­or for Pres­id­ent Obama’s 2012 reelec­tion cam­paign, said she and her staff should be ap­plauded, not con­demned, for their ef­forts to up­grade the agency’s cy­ber­se­cur­ity since she took of­fice in Novem­ber 2013.

“It is be­cause the ef­forts of OPM and its staff that we’ve been able to identi­fy the breaches,” Archu­leta said. When asked dir­ectly if she or Sey­mour would resign, Archu­leta replied: “No.”

A White House spokes­man re­it­er­ated sup­port for the OPM dir­ect­or Thursday, echo­ing re­cent state­ments from White House press sec­ret­ary Josh Earn­est. In mid-June, Earn­est said that Obama “has con­fid­ence” that Archu­leta “is the right per­son for the job.”

This art­icle has been cla­ri­fied to re­flect the total num­ber of in­di­vidu­als af­fected by either OPM data breach.

What We're Following See More »
Saudis Admit Khashoggi Killed in Embassy
10 hours ago

"Saudi Arabia said Saturday that Jamal Khashoggi, the dissident Saudi journalist who disappeared more than two weeks ago, had died after an argument and fistfight with unidentified men inside the Saudi Consulate in Istanbul. Eighteen men have been arrested and are being investigated in the case, Saudi state-run media reported without identifying any of them. State media also reported that Maj. Gen. Ahmed al-Assiri, the deputy director of Saudi intelligence, and other high-ranking intelligence officials had been dismissed."

Mueller Looking into Ties Between WikiLeaks, Conservative Groups
10 hours ago

"Special counsel Robert Mueller’s investigation is scrutinizing how a collection of activists and pundits intersected with WikiLeaks, the website that U.S. officials say was the primary conduit for publishing materials stolen by Russia, according to people familiar with the matter. Mr. Mueller’s team has recently questioned witnesses about the activities of longtime Trump confidante Roger Stone, including his contacts with WikiLeaks, and has obtained telephone records, according to the people familiar with the matter."

Mueller To Release Key Findings After Midterms
10 hours ago

"Special Counsel Robert Mueller is expected to issue findings on core aspects of his Russia probe soon after the November midterm elections ... Specifically, Mueller is close to rendering judgment on two of the most explosive aspects of his inquiry: whether there were clear incidents of collusion between Russia and Donald Trump’s 2016 campaign, and whether the president took any actions that constitute obstruction of justice." Mueller has faced pressure to wrap up the investigation from Deputy Attorney General Rod Rosenstein, said an official, who would receive the results of the investigation and have "some discretion in deciding what is relayed to Congress and what is publicly released," if he remains at his post.

FinCen Official Charged with Leaking Info on Manafort, Gates
10 hours ago
"A senior official working for the Treasury Department's Financial Crimes Enforcement Network (FinCEN) has been charged with leaking confidential financial reports on former Trump campaign advisers Paul Manafort, Richard Gates and others to a media outlet. Prosecutors say that Natalie Mayflower Sours Edwards, a senior adviser to FinCEN, photographed what are called suspicious activity reports, or SARs, and other sensitive government files and sent them to an unnamed reporter, in violation of U.S. law."
DOJ Charges Russian For Meddling In 2018 Midterms
10 hours ago

"The Justice Department on Friday charged a Russian woman for her alleged role in a conspiracy to interfere with the 2018 U.S. election, marking the first criminal case prosecutors have brought against a foreign national for interfering in the upcoming midterms. Elena Khusyaynova, 44, was charged with conspiracy to defraud the United States. Prosecutors said she managed the finances of 'Project Lakhta,' a foreign influence operation they said was designed 'to sow discord in the U.S. political system' by pushing arguments and misinformation online about a host of divisive political issues, including immigration, the Confederate flag, gun control and the National Football League national-anthem protests."


Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.