More than 21 million Social Security numbers were compromised in a breach that affected a database of sensitive information on federal employees held by the Office of Personnel Management, the agency announced Thursday.
This hack is separate from the breach of OPM data that compromised 4.2 million Social Security numbers and was made public in June. Officials have privately linked both intrusions to China.
Of the 21.5 million records that were stolen, 19.7 million belonged to individuals who had undergone background investigations, OPM said. The remaining 1.8 million records belonged to other individuals, mostly applicants’ families.
3.6 million people were affected by both breaches, OPM press secretary Sam Schumach said Thursday night, bringing the total number of individuals affected by the pair of OPM hacks to 22.1 million.
The records that were compromised in the breach announced Thursday include detailed, sensitive background information, such as employment history, relatives, addresses, and past drug abuse or emotional disorders. OPM said 1.1 million of the compromised files included fingerprints.
Some of the files in the compromised database also include “residency and educational history; employment history; information about immediate family and other personal and business acquaintances; health, criminal and financial history; and other details,” OPM said.
Also included in the database is information from background investigations, as well as usernames and passwords that applicants used to fill out investigation forms. And although separate systems that store health, financial, and payroll information do not appear to have been compromised, the agency says some mental health and financial information is included in the security clearance files that were affected by the hack.
Besides the 21.5 million individuals who had their Social Security information stolen, OPM says others’ identifying information—such as their names, addresses, and dates of birth—also were compromised.
OPM will provide credit monitoring and identity-theft protection services to the individuals whose Social Security numbers were stolen, but those individuals will be responsible for disseminating information to other people they may have listed on their background check forms. Those people, whom the government will not contact directly, will not have access to government-bought identity-protection services.
The hack that resulted in the loss of these records began in May 2014, according to OPM Director Katherine Archuleta’s testimony before Congress. It was not discovered until May 2015.
A security update applied by OPM and the Homeland Security Department in January ended the bulk of the data extraction, according to congressional testimony from Andy Ozment, assistant secretary for cybersecurity and communications at DHS, even though the breach would not be discovered for months.
OPM said Thursday that individuals who underwent background investigations in or after the year 2000 are “highly likely” to have had their information compromised in the breach. (This includes both new applicants and employees that were subject to a “periodic reinvestigation” during that time.) But those who were investigated before 2000 also may have been affected.
CSID, the contractor that was employed to send out notifications and provide identity protection to the 4.2 million individuals affected by the hack announced in June, is not currently involved in the notification process for this data breach, a spokesman for the company said.
Lawmakers and officials criticized CSID for its handling of the earlier notification process, and for making many employees who called in with questions wait on hold for hours. It was not immediately clear what company will handle the next round of notifications.
News of the second intrusion was first reported in June and was described as a potentially devastating heist of government data, as hackers seized extensive security-clearance information from intelligence and military personnel. OPM said at the time that it became aware of the second hack while investigating the smaller breach.
The size of the second breach exceeds most of the estimates previously reported in various media outlets.
The personnel agency said Thursday that it has not seen any indication that the stolen information has been “misused” or otherwise disseminated.
On Wednesday, FBI Director James Comey refused to provide a specific number when asked by members of the Senate Intelligence Committee about the size of the breach. Comey did say the hack was “enormous,” however, and confirmed that his own data had been compromised.
Several lawmakers in both parties have called for the resignations of Archuleta and Donna Seymour, the chief information officer at OPM, since the data breaches came to light last month. A rush of statements Thursday added to that growing chorus building against Archuleta, from House Speaker John Boehner, House Majority Whip Steve Scalise, and Republican Sens. John McCain and Marco Rubio, among others.
Sen. Mark Warner, who sits on the Senate Intelligence Committee and has been involved in the fallout following the OPM hacks, also called for Archuleta’s ouster late Thursday.
“The technological and security failures at the Office of Personnel Management predate this director’s term, but Director Archuleta’s slow and uneven response has not inspired confidence that she is the right person to manage OPM through this crisis,” the Virginia Democrat said in a Thursday night statement. “It is time for her to step down, and I strongly urge the administration to choose new management with proven abilities to address a crisis of this magnitude with an appropriate sense of urgency and accountability.”
Rep. Barbara Comstock, a Virginia Republican who was notified last month that her personal information had been compromised in the hacks due to her previous roles as a federal employee, chided Archuleta for displaying “complacency, apathy “… and incompetence” in the wake of the breach.
“It goes to the top,” Comstock said in an interview with National Journal. “This is a failure of leadership on her part, and if the president does not have the leadership to do this, I think she should step aside.”
At least two House Democrats, Reps. Ted Lieu and Jim Langevin, the cochair of the House cybersecurity caucus, also have demanded Archuleta’s removal. Lieu and Republican Rep. Steve Russell went a step further Thursday, announcing that they were working on legislation that would move the security-clearance database out of OPM entirely and into the hands of an unspecified agency “that has a better grasp of cyberthreats.”
Archuleta, for her part, has remained resolute in the face of withering scrutiny. During a Thursday press call, the onetime political director for President Obama’s 2012 reelection campaign, said she and her staff should be applauded, not condemned, for their efforts to upgrade the agency’s cybersecurity since she took office in November 2013.
“It is because the efforts of OPM and its staff that we’ve been able to identify the breaches,” Archuleta said. When asked directly if she or Seymour would resign, Archuleta replied: “No.”
A White House spokesman reiterated support for the OPM director Thursday, echoing recent statements from White House press secretary Josh Earnest. In mid-June, Earnest said that Obama “has confidence” that Archuleta “is the right person for the job.”
This article has been clarified to reflect the total number of individuals affected by either OPM data breach.
What We're Following See More »
The nonpartisan Congressional Budget Office has released its score of the House-passed American Health Care Act, which would replace Obamacare. According to the CBO, the bill would reduce the deficit by $119 billion by 2026, while leaving 14 million more Americans uninsured in 2018 than under current law, a number swelling to 23 million by 2026. Further, insurance premiums would balloon 20 percent in 2018 and five percent in 2019 before the waiver provision in the legislation would kick in. The provision allows states to apply for waivers and permit insurers to offer skimpier plans, which would likely entice younger and healthier individuals to buy health insurance while potentially pricing older and less healthy Americans out of insurance plans. House Republicans approved this bill in late April without waiting for the CBO score.
Republican Sen. Lindsey Graham said Wednesday during a Senate Appropriations subcommittee hearing that President Donald Trump's budget is literal more than recycling bin material. "The budget proposed by the president doesn't have a snowball's chance in hell of passing," Graham said. Graham had previously opposed the budget over its nearly 30 percent cut to the budget of the State Department. The budget slashes spending on domestic priorities while increasing military spending.
Senate Majority Leader Mitch McConnell said Wednesday that he doesn't yet know the formula towards gaining passage of an Obamacare replacement in the Senate. "I don't know how we get to 50 (votes) at the moment. But that's the goal," McConnell said. The House passed an Obamacare replacement bill which has been widely seen as dead on arrival in the Senate, and McConnell has put together a working group of Republican Senators working towards creating health care legislation which could gain the support of at least 50 Senators.
The transcript of a phone call between Donald Trump and Philippine President Rodrigo Duterte was leaked and it shows Trump referring to North Korean dictator Kim Jong Un as a "madman with nuclear weapons" and praising Duterte, saying he was doing an "unbelievable job on the drug problem." For context, Duterte has presided over a vicious and genocidal campaign of extrajudicial killings within his country which has led to the murder of thousands of expected drug dealers and users. Trump also told Duerte to take care of himself and promised that the U.S. would "take care of North Korea."