OPM Announces More Than 21 Million Affected by Second Data Breach

The federal personnel agency finally announced Thursday the scope of a massive hack of security-clearance information first revealed last month.

Office of Personnel Management Director Katherine Archuleta testifies on Capitol Hill in Washington.
Dustin Volz and Kaveh Waddell
Add to Briefcase
Dustin Volz and Kaveh Waddell
July 9, 2015, 11:11 a.m.

More than 21 mil­lion So­cial Se­cur­ity num­bers were com­prom­ised in a breach that af­fected a data­base of sens­it­ive in­form­a­tion on fed­er­al em­ploy­ees held by the Of­fice of Per­son­nel Man­age­ment, the agency an­nounced Thursday.

This hack is sep­ar­ate from the breach of OPM data that com­prom­ised 4.2 mil­lion So­cial Se­cur­ity num­bers and was made pub­lic in June. Of­fi­cials have privately linked both in­tru­sions to China.

Of the 21.5 mil­lion re­cords that were stolen, 19.7 mil­lion be­longed to in­di­vidu­als who had un­der­gone back­ground in­vest­ig­a­tions, OPM said. The re­main­ing 1.8 mil­lion re­cords be­longed to oth­er in­di­vidu­als, mostly ap­plic­ants’ fam­il­ies.

3.6 mil­lion people were af­fected by both breaches, OPM press sec­ret­ary Sam Schu­mach said Thursday night, bring­ing the total num­ber of in­di­vidu­als af­fected by the pair of OPM hacks to 22.1 mil­lion.

The re­cords that were com­prom­ised in the breach an­nounced Thursday in­clude de­tailed, sens­it­ive back­ground in­form­a­tion, such as em­ploy­ment his­tory, re­l­at­ives, ad­dresses, and past drug ab­use or emo­tion­al dis­orders. OPM said 1.1 mil­lion of the com­prom­ised files in­cluded fin­ger­prints.

(RE­LATED: Law­maker Pledges Le­gis­la­tion to Bet­ter Pro­tect Hacked Feds as An­oth­er Uni­on Sues OPM)

Some of the files in the com­prom­ised data­base also in­clude “res­id­ency and edu­ca­tion­al his­tory; em­ploy­ment his­tory; in­form­a­tion about im­me­di­ate fam­ily and oth­er per­son­al and busi­ness ac­quaint­ances; health, crim­in­al and fin­an­cial his­tory; and oth­er de­tails,” OPM said.

Also in­cluded in the data­base is in­form­a­tion from back­ground in­vest­ig­a­tions, as well as user­names and pass­words that ap­plic­ants used to fill out in­vest­ig­a­tion forms. And al­though sep­ar­ate sys­tems that store health, fin­an­cial, and payroll in­form­a­tion do not ap­pear to have been com­prom­ised, the agency says some men­tal health and fin­an­cial in­form­a­tion is in­cluded in the se­cur­ity clear­ance files that were af­fected by the hack.

Be­sides the 21.5 mil­lion in­di­vidu­als who had their So­cial Se­cur­ity in­form­a­tion stolen, OPM says oth­ers’ identi­fy­ing in­form­a­tion—such as their names, ad­dresses, and dates of birth—also were com­prom­ised.

OPM will provide cred­it mon­it­or­ing and iden­tity-theft pro­tec­tion ser­vices to the in­di­vidu­als whose So­cial Se­cur­ity num­bers were stolen, but those in­di­vidu­als will be re­spons­ible for dis­sem­in­at­ing in­form­a­tion to oth­er people they may have lis­ted on their back­ground check forms. Those people, whom the gov­ern­ment will not con­tact dir­ectly, will not have ac­cess to gov­ern­ment-bought iden­tity-pro­tec­tion ser­vices.

The hack that res­ul­ted in the loss of these re­cords began in May 2014, ac­cord­ing to OPM Dir­ect­or Kath­er­ine Archu­leta’s testi­mony be­fore Con­gress. It was not dis­covered un­til May 2015.

(RE­LATED: A Timeline of Gov­ern­ment Data Breaches)

A se­cur­ity up­date ap­plied by OPM and the Home­land Se­cur­ity De­part­ment in Janu­ary ended the bulk of the data ex­trac­tion, ac­cord­ing to con­gres­sion­al testi­mony from Andy Oz­ment, as­sist­ant sec­ret­ary for cy­ber­se­cur­ity and com­mu­nic­a­tions at DHS, even though the breach would not be dis­covered for months.

OPM said Thursday that in­di­vidu­als who un­der­went back­ground in­vest­ig­a­tions in or after the year 2000 are “highly likely” to have had their in­form­a­tion com­prom­ised in the breach. (This in­cludes both new ap­plic­ants and em­ploy­ees that were sub­ject to a “peri­od­ic re­in­vest­ig­a­tion” dur­ing that time.) But those who were in­vest­ig­ated be­fore 2000 also may have been af­fected.

CSID, the con­tract­or that was em­ployed to send out no­ti­fic­a­tions and provide iden­tity pro­tec­tion to the 4.2 mil­lion in­di­vidu­als af­fected by the hack an­nounced in June, is not cur­rently in­volved in the no­ti­fic­a­tion pro­cess for this data breach, a spokes­man for the com­pany said.

Law­makers and of­fi­cials cri­ti­cized CSID for its hand­ling of the earli­er no­ti­fic­a­tion pro­cess, and for mak­ing many em­ploy­ees who called in with ques­tions wait on hold for hours. It was not im­me­di­ately clear what com­pany will handle the next round of no­ti­fic­a­tions.

News of the second in­tru­sion was first re­por­ted in June and was de­scribed as a po­ten­tially dev­ast­at­ing heist of gov­ern­ment data, as hack­ers seized ex­tens­ive se­cur­ity-clear­ance in­form­a­tion from in­tel­li­gence and mil­it­ary per­son­nel. OPM said at the time that it be­came aware of the second hack while in­vest­ig­at­ing the smal­ler breach.

The size of the second breach ex­ceeds most of the es­tim­ates pre­vi­ously re­por­ted in vari­ous me­dia out­lets.

The per­son­nel agency said Thursday that it has not seen any in­dic­a­tion that the stolen in­form­a­tion has been “mis­used” or oth­er­wise dis­sem­in­ated.

(RE­LATED: Wash­ing­ton Can’t Fix Com­puter Glitches)

On Wed­nes­day, FBI Dir­ect­or James Comey re­fused to provide a spe­cif­ic num­ber when asked by mem­bers of the Sen­ate In­tel­li­gence Com­mit­tee about the size of the breach. Comey did say the hack was “enorm­ous,” however, and con­firmed that his own data had been com­prom­ised.

Sev­er­al law­makers in both parties have called for the resig­na­tions of Archu­leta and Donna Sey­mour, the chief in­form­a­tion of­ficer at OPM, since the data breaches came to light last month. A rush of state­ments Thursday ad­ded to that grow­ing chor­us build­ing against Archu­leta, from House Speak­er John Boehner, House Ma­jor­ity Whip Steve Scal­ise, and Re­pub­lic­an Sens. John Mc­Cain and Marco Ru­bio, among oth­ers.

Sen. Mark Warner, who sits on the Sen­ate In­tel­li­gence Com­mit­tee and has been in­volved in the fal­lout fol­low­ing the OPM hacks, also called for Archu­leta’s ouster late Thursday.

“The tech­no­lo­gic­al and se­cur­ity fail­ures at the Of­fice of Per­son­nel Man­age­ment pred­ate this dir­ect­or’s term, but Dir­ect­or Archu­leta’s slow and un­even re­sponse has not in­spired con­fid­ence that she is the right per­son to man­age OPM through this crisis,” the Vir­gin­ia Demo­crat said in a Thursday night state­ment. “It is time for her to step down, and I strongly urge the ad­min­is­tra­tion to choose new man­age­ment with proven abil­it­ies to ad­dress a crisis of this mag­nitude with an ap­pro­pri­ate sense of ur­gency and ac­count­ab­il­ity.”

Rep. Bar­bara Com­stock, a Vir­gin­ia Re­pub­lic­an who was no­ti­fied last month that her per­son­al in­form­a­tion had been com­prom­ised in the hacks due to her pre­vi­ous roles as a fed­er­al em­ploy­ee, chided Archu­leta for dis­play­ing “com­pla­cency, apathy “… and in­com­pet­ence” in the wake of the breach.

“It goes to the top,” Com­stock said in an in­ter­view with Na­tion­al Journ­al. “This is a fail­ure of lead­er­ship on her part, and if the pres­id­ent does not have the lead­er­ship to do this, I think she should step aside.”

At least two House Demo­crats, Reps. Ted Lieu and Jim Langev­in, the co­chair of the House cy­ber­se­cur­ity caucus, also have de­man­ded Archu­leta’s re­mov­al. Lieu and Re­pub­lic­an Rep. Steve Rus­sell went a step fur­ther Thursday, an­noun­cing that they were work­ing on le­gis­la­tion that would move the se­cur­ity-clear­ance data­base out of OPM en­tirely and in­to the hands of an un­spe­cified agency “that has a bet­ter grasp of cy­ber­threats.”

Archu­leta, for her part, has re­mained res­ol­ute in the face of with­er­ing scru­tiny. Dur­ing a Thursday press call, the one­time polit­ic­al dir­ect­or for Pres­id­ent Obama’s 2012 reelec­tion cam­paign, said she and her staff should be ap­plauded, not con­demned, for their ef­forts to up­grade the agency’s cy­ber­se­cur­ity since she took of­fice in Novem­ber 2013.

“It is be­cause the ef­forts of OPM and its staff that we’ve been able to identi­fy the breaches,” Archu­leta said. When asked dir­ectly if she or Sey­mour would resign, Archu­leta replied: “No.”

A White House spokes­man re­it­er­ated sup­port for the OPM dir­ect­or Thursday, echo­ing re­cent state­ments from White House press sec­ret­ary Josh Earn­est. In mid-June, Earn­est said that Obama “has con­fid­ence” that Archu­leta “is the right per­son for the job.”

This art­icle has been cla­ri­fied to re­flect the total num­ber of in­di­vidu­als af­fected by either OPM data breach.

What We're Following See More »
Cruz to Back Trump
1 days ago
Two Polls for Clinton, One for Trump
1 days ago

With three days until the first debate, the polls are coming fast and furious. The latest round:

  • An Associated Press/Gfk poll of registered voters found very few voters committed, with Clin­ton lead­ing Trump, 37% to 29%, and Gary John­son at 7%.
  • A Mc­Clatchy-Mar­ist poll gave Clin­ton a six-point edge, 45% to 39%, in a four-way bal­lot test. Johnson pulls 10% support, with Jill Stein at 4%.
  • Rasmussen, which has drawn criticism for continually showing Donald Trump doing much better than he does in other polls, is at it again. A new survey gives Trump a five-point lead, 44%-39%.
Trump Eschewing Briefing Materials in Debate Prep
1 days ago

In contrast to Hillary Clinton's meticulous debate practice sessions, Donald Trump "is largely shun­ning tra­di­tion­al de­bate pre­par­a­tions, but has been watch­ing video of…Clin­ton’s best and worst de­bate mo­ments, look­ing for her vul­ner­ab­il­it­ies.” Trump “has paid only curs­ory at­ten­tion to brief­ing ma­ter­i­als. He has re­fused to use lecterns in mock de­bate ses­sions des­pite the ur­ging of his ad­visers. He prefers spit­balling ideas with his team rather than hon­ing them in­to crisp, two-minute an­swers.”

Trump Makes No Outreach to Spanish Speakers
1 days ago

Donald Trump "is on the precipice of becoming the only major-party presidential candidate this century not to reach out to millions of American voters whose dominant, first or just preferred language is Spanish. Trump has not only failed to buy any Spanish-language television or radio ads, he so far has avoided even offering a translation of his website into Spanish, breaking with two decades of bipartisan tradition."

Clintons Buy the House Next Door in Chappaqua
2 days ago

Bill and Hillary Clinton have purchased the home next door to their primary residence in tony Chappaqua, New York, for $1.16 million. "By purchasing the new home, the Clinton's now own the entire cul-de-sac at the end of the road in the leafy New York suburb. The purchase makes it easier for the United States Secret Service to protect the former president and possible future commander in chief."