OPM Announces More Than 21 Million Affected by Second Data Breach

The federal personnel agency finally announced Thursday the scope of a massive hack of security-clearance information first revealed last month.

Office of Personnel Management Director Katherine Archuleta testifies on Capitol Hill in Washington.
Dustin Volz and Kaveh Waddell
Add to Briefcase
Dustin Volz and Kaveh Waddell
July 9, 2015, 11:11 a.m.

More than 21 mil­lion So­cial Se­cur­ity num­bers were com­prom­ised in a breach that af­fected a data­base of sens­it­ive in­form­a­tion on fed­er­al em­ploy­ees held by the Of­fice of Per­son­nel Man­age­ment, the agency an­nounced Thursday.

This hack is sep­ar­ate from the breach of OPM data that com­prom­ised 4.2 mil­lion So­cial Se­cur­ity num­bers and was made pub­lic in June. Of­fi­cials have privately linked both in­tru­sions to China.

Of the 21.5 mil­lion re­cords that were stolen, 19.7 mil­lion be­longed to in­di­vidu­als who had un­der­gone back­ground in­vest­ig­a­tions, OPM said. The re­main­ing 1.8 mil­lion re­cords be­longed to oth­er in­di­vidu­als, mostly ap­plic­ants’ fam­il­ies.

3.6 mil­lion people were af­fected by both breaches, OPM press sec­ret­ary Sam Schu­mach said Thursday night, bring­ing the total num­ber of in­di­vidu­als af­fected by the pair of OPM hacks to 22.1 mil­lion.

The re­cords that were com­prom­ised in the breach an­nounced Thursday in­clude de­tailed, sens­it­ive back­ground in­form­a­tion, such as em­ploy­ment his­tory, re­l­at­ives, ad­dresses, and past drug ab­use or emo­tion­al dis­orders. OPM said 1.1 mil­lion of the com­prom­ised files in­cluded fin­ger­prints.

(RE­LATED: Law­maker Pledges Le­gis­la­tion to Bet­ter Pro­tect Hacked Feds as An­oth­er Uni­on Sues OPM)

Some of the files in the com­prom­ised data­base also in­clude “res­id­ency and edu­ca­tion­al his­tory; em­ploy­ment his­tory; in­form­a­tion about im­me­di­ate fam­ily and oth­er per­son­al and busi­ness ac­quaint­ances; health, crim­in­al and fin­an­cial his­tory; and oth­er de­tails,” OPM said.

Also in­cluded in the data­base is in­form­a­tion from back­ground in­vest­ig­a­tions, as well as user­names and pass­words that ap­plic­ants used to fill out in­vest­ig­a­tion forms. And al­though sep­ar­ate sys­tems that store health, fin­an­cial, and payroll in­form­a­tion do not ap­pear to have been com­prom­ised, the agency says some men­tal health and fin­an­cial in­form­a­tion is in­cluded in the se­cur­ity clear­ance files that were af­fected by the hack.

Be­sides the 21.5 mil­lion in­di­vidu­als who had their So­cial Se­cur­ity in­form­a­tion stolen, OPM says oth­ers’ identi­fy­ing in­form­a­tion—such as their names, ad­dresses, and dates of birth—also were com­prom­ised.

OPM will provide cred­it mon­it­or­ing and iden­tity-theft pro­tec­tion ser­vices to the in­di­vidu­als whose So­cial Se­cur­ity num­bers were stolen, but those in­di­vidu­als will be re­spons­ible for dis­sem­in­at­ing in­form­a­tion to oth­er people they may have lis­ted on their back­ground check forms. Those people, whom the gov­ern­ment will not con­tact dir­ectly, will not have ac­cess to gov­ern­ment-bought iden­tity-pro­tec­tion ser­vices.

The hack that res­ul­ted in the loss of these re­cords began in May 2014, ac­cord­ing to OPM Dir­ect­or Kath­er­ine Archu­leta’s testi­mony be­fore Con­gress. It was not dis­covered un­til May 2015.

(RE­LATED: A Timeline of Gov­ern­ment Data Breaches)

A se­cur­ity up­date ap­plied by OPM and the Home­land Se­cur­ity De­part­ment in Janu­ary ended the bulk of the data ex­trac­tion, ac­cord­ing to con­gres­sion­al testi­mony from Andy Oz­ment, as­sist­ant sec­ret­ary for cy­ber­se­cur­ity and com­mu­nic­a­tions at DHS, even though the breach would not be dis­covered for months.

OPM said Thursday that in­di­vidu­als who un­der­went back­ground in­vest­ig­a­tions in or after the year 2000 are “highly likely” to have had their in­form­a­tion com­prom­ised in the breach. (This in­cludes both new ap­plic­ants and em­ploy­ees that were sub­ject to a “peri­od­ic re­in­vest­ig­a­tion” dur­ing that time.) But those who were in­vest­ig­ated be­fore 2000 also may have been af­fected.

CSID, the con­tract­or that was em­ployed to send out no­ti­fic­a­tions and provide iden­tity pro­tec­tion to the 4.2 mil­lion in­di­vidu­als af­fected by the hack an­nounced in June, is not cur­rently in­volved in the no­ti­fic­a­tion pro­cess for this data breach, a spokes­man for the com­pany said.

Law­makers and of­fi­cials cri­ti­cized CSID for its hand­ling of the earli­er no­ti­fic­a­tion pro­cess, and for mak­ing many em­ploy­ees who called in with ques­tions wait on hold for hours. It was not im­me­di­ately clear what com­pany will handle the next round of no­ti­fic­a­tions.

News of the second in­tru­sion was first re­por­ted in June and was de­scribed as a po­ten­tially dev­ast­at­ing heist of gov­ern­ment data, as hack­ers seized ex­tens­ive se­cur­ity-clear­ance in­form­a­tion from in­tel­li­gence and mil­it­ary per­son­nel. OPM said at the time that it be­came aware of the second hack while in­vest­ig­at­ing the smal­ler breach.

The size of the second breach ex­ceeds most of the es­tim­ates pre­vi­ously re­por­ted in vari­ous me­dia out­lets.

The per­son­nel agency said Thursday that it has not seen any in­dic­a­tion that the stolen in­form­a­tion has been “mis­used” or oth­er­wise dis­sem­in­ated.

(RE­LATED: Wash­ing­ton Can’t Fix Com­puter Glitches)

On Wed­nes­day, FBI Dir­ect­or James Comey re­fused to provide a spe­cif­ic num­ber when asked by mem­bers of the Sen­ate In­tel­li­gence Com­mit­tee about the size of the breach. Comey did say the hack was “enorm­ous,” however, and con­firmed that his own data had been com­prom­ised.

Sev­er­al law­makers in both parties have called for the resig­na­tions of Archu­leta and Donna Sey­mour, the chief in­form­a­tion of­ficer at OPM, since the data breaches came to light last month. A rush of state­ments Thursday ad­ded to that grow­ing chor­us build­ing against Archu­leta, from House Speak­er John Boehner, House Ma­jor­ity Whip Steve Scal­ise, and Re­pub­lic­an Sens. John Mc­Cain and Marco Ru­bio, among oth­ers.

Sen. Mark Warner, who sits on the Sen­ate In­tel­li­gence Com­mit­tee and has been in­volved in the fal­lout fol­low­ing the OPM hacks, also called for Archu­leta’s ouster late Thursday.

“The tech­no­lo­gic­al and se­cur­ity fail­ures at the Of­fice of Per­son­nel Man­age­ment pred­ate this dir­ect­or’s term, but Dir­ect­or Archu­leta’s slow and un­even re­sponse has not in­spired con­fid­ence that she is the right per­son to man­age OPM through this crisis,” the Vir­gin­ia Demo­crat said in a Thursday night state­ment. “It is time for her to step down, and I strongly urge the ad­min­is­tra­tion to choose new man­age­ment with proven abil­it­ies to ad­dress a crisis of this mag­nitude with an ap­pro­pri­ate sense of ur­gency and ac­count­ab­il­ity.”

Rep. Bar­bara Com­stock, a Vir­gin­ia Re­pub­lic­an who was no­ti­fied last month that her per­son­al in­form­a­tion had been com­prom­ised in the hacks due to her pre­vi­ous roles as a fed­er­al em­ploy­ee, chided Archu­leta for dis­play­ing “com­pla­cency, apathy “… and in­com­pet­ence” in the wake of the breach.

“It goes to the top,” Com­stock said in an in­ter­view with Na­tion­al Journ­al. “This is a fail­ure of lead­er­ship on her part, and if the pres­id­ent does not have the lead­er­ship to do this, I think she should step aside.”

At least two House Demo­crats, Reps. Ted Lieu and Jim Langev­in, the co­chair of the House cy­ber­se­cur­ity caucus, also have de­man­ded Archu­leta’s re­mov­al. Lieu and Re­pub­lic­an Rep. Steve Rus­sell went a step fur­ther Thursday, an­noun­cing that they were work­ing on le­gis­la­tion that would move the se­cur­ity-clear­ance data­base out of OPM en­tirely and in­to the hands of an un­spe­cified agency “that has a bet­ter grasp of cy­ber­threats.”

Archu­leta, for her part, has re­mained res­ol­ute in the face of with­er­ing scru­tiny. Dur­ing a Thursday press call, the one­time polit­ic­al dir­ect­or for Pres­id­ent Obama’s 2012 reelec­tion cam­paign, said she and her staff should be ap­plauded, not con­demned, for their ef­forts to up­grade the agency’s cy­ber­se­cur­ity since she took of­fice in Novem­ber 2013.

“It is be­cause the ef­forts of OPM and its staff that we’ve been able to identi­fy the breaches,” Archu­leta said. When asked dir­ectly if she or Sey­mour would resign, Archu­leta replied: “No.”

A White House spokes­man re­it­er­ated sup­port for the OPM dir­ect­or Thursday, echo­ing re­cent state­ments from White House press sec­ret­ary Josh Earn­est. In mid-June, Earn­est said that Obama “has con­fid­ence” that Archu­leta “is the right per­son for the job.”

This art­icle has been cla­ri­fied to re­flect the total num­ber of in­di­vidu­als af­fected by either OPM data breach.

What We're Following See More »
Bannon Is Out at the White House
3 hours ago

First, it was Sean Spicer. Then Reince Priebus. Now, presidential adviser Steve Bannon, perhaps the administration's biggest lightning rod for criticism, is out. “White House Chief of Staff John Kelly and Steve Bannon have mutually agreed today would be Steve’s last day,” the White House press secretary, Sarah Huckabee Sanders, said in a statement. “We are grateful for his service and wish him the best.” That's not to say the parting of ways isn't controversial. Bannon says he submitted his resignation on Aug. 7, but earlier today, "the president had told senior aides that he had decided to remove Mr. Bannon."

Trump Ends Obama’s “Operation Choke Point”
6 hours ago

"The Trump administration has ended Operation Choke Point, the anti-fraud initiative started under the Obama administration that many Republicans argued was used to target gun retailers and other businesses that Democrats found objectionable. Assistant Attorney General Stephen Boyd told GOP representatives in a Wednesday letter that the long-running program had ended, bringing a conclusion to a chapter in the Obama years that long provoked and angered conservatives who saw Choke Point as an extra-legal crackdown on politically disfavored groups."

Gorsuch to Deliver Speech at Trump Hotel
6 hours ago

"Liberal groups are raising questions about a speaking appearance Supreme Court Justice Neil Gorsuch plans to make next month at the Trump International Hotel in Washington. Gorsuch is scheduled to headline a luncheon celebrating the 50th anniversary of conservative group The Fund for American Studies on September 28, days before the next SCOTUS term begins October 2. Steve Slattery, a spokesman for The Fund for American Studies, said Gorsuch had nothing to do with venue choice, which was made long before the group asked Gorsuch to speak."

Administration Faces Exodus of Top Cybersecurity Officials
6 hours ago

"The Trump administration has lost a handful of individuals serving in top cybersecurity roles across the federal government in recent weeks, even as it has struggled to fill high-ranking IT positions. The developments present hurdles for the new administration and speak to the longstanding challenge the federal government faces in competing with the private sector for top tech talent." Among those resigning is Richard Staropoli, "a former U.S. Secret Service agent who served as chief information officer (CIO) of the Department of Homeland Security for just three months," and Dave DeVries, the CIO at OPM. Separately, the White House announced today that President Trump has directed that United States Cyber Command be elevated to the status of a Unified Combatant Command focused on cyberspace operations.

Former Top Aide to McConnell Says GOPers Should Abandon Trump
1 days ago

Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.