OPM Announces More Than 21 Million Affected by Second Data Breach

The federal personnel agency finally announced Thursday the scope of a massive hack of security-clearance information first revealed last month.

Office of Personnel Management Director Katherine Archuleta testifies on Capitol Hill in Washington.
July 9, 2015, 11:11 a.m.

More than 21 mil­lion So­cial Se­cur­ity num­bers were com­prom­ised in a breach that af­fected a data­base of sens­it­ive in­form­a­tion on fed­er­al em­ploy­ees held by the Of­fice of Per­son­nel Man­age­ment, the agency an­nounced Thursday.

This hack is sep­ar­ate from the breach of OPM data that com­prom­ised 4.2 mil­lion So­cial Se­cur­ity num­bers and was made pub­lic in June. Of­fi­cials have privately linked both in­tru­sions to China.

Of the 21.5 mil­lion re­cords that were stolen, 19.7 mil­lion be­longed to in­di­vidu­als who had un­der­gone back­ground in­vest­ig­a­tions, OPM said. The re­main­ing 1.8 mil­lion re­cords be­longed to oth­er in­di­vidu­als, mostly ap­plic­ants’ fam­il­ies.

3.6 mil­lion people were af­fected by both breaches, OPM press sec­ret­ary Sam Schu­mach said Thursday night, bring­ing the total num­ber of in­di­vidu­als af­fected by the pair of OPM hacks to 22.1 mil­lion.

The re­cords that were com­prom­ised in the breach an­nounced Thursday in­clude de­tailed, sens­it­ive back­ground in­form­a­tion, such as em­ploy­ment his­tory, re­l­at­ives, ad­dresses, and past drug ab­use or emo­tion­al dis­orders. OPM said 1.1 mil­lion of the com­prom­ised files in­cluded fin­ger­prints.

(RE­LATED: Law­maker Pledges Le­gis­la­tion to Bet­ter Pro­tect Hacked Feds as An­oth­er Uni­on Sues OPM)

Some of the files in the com­prom­ised data­base also in­clude “res­id­ency and edu­ca­tion­al his­tory; em­ploy­ment his­tory; in­form­a­tion about im­me­di­ate fam­ily and oth­er per­son­al and busi­ness ac­quaint­ances; health, crim­in­al and fin­an­cial his­tory; and oth­er de­tails,” OPM said.

Also in­cluded in the data­base is in­form­a­tion from back­ground in­vest­ig­a­tions, as well as user­names and pass­words that ap­plic­ants used to fill out in­vest­ig­a­tion forms. And al­though sep­ar­ate sys­tems that store health, fin­an­cial, and payroll in­form­a­tion do not ap­pear to have been com­prom­ised, the agency says some men­tal health and fin­an­cial in­form­a­tion is in­cluded in the se­cur­ity clear­ance files that were af­fected by the hack.

Be­sides the 21.5 mil­lion in­di­vidu­als who had their So­cial Se­cur­ity in­form­a­tion stolen, OPM says oth­ers’ identi­fy­ing in­form­a­tion—such as their names, ad­dresses, and dates of birth—also were com­prom­ised.

OPM will provide cred­it mon­it­or­ing and iden­tity-theft pro­tec­tion ser­vices to the in­di­vidu­als whose So­cial Se­cur­ity num­bers were stolen, but those in­di­vidu­als will be re­spons­ible for dis­sem­in­at­ing in­form­a­tion to oth­er people they may have lis­ted on their back­ground check forms. Those people, whom the gov­ern­ment will not con­tact dir­ectly, will not have ac­cess to gov­ern­ment-bought iden­tity-pro­tec­tion ser­vices.

The hack that res­ul­ted in the loss of these re­cords began in May 2014, ac­cord­ing to OPM Dir­ect­or Kath­er­ine Archu­leta’s testi­mony be­fore Con­gress. It was not dis­covered un­til May 2015.

(RE­LATED: A Timeline of Gov­ern­ment Data Breaches)

A se­cur­ity up­date ap­plied by OPM and the Home­land Se­cur­ity De­part­ment in Janu­ary ended the bulk of the data ex­trac­tion, ac­cord­ing to con­gres­sion­al testi­mony from Andy Oz­ment, as­sist­ant sec­ret­ary for cy­ber­se­cur­ity and com­mu­nic­a­tions at DHS, even though the breach would not be dis­covered for months.

OPM said Thursday that in­di­vidu­als who un­der­went back­ground in­vest­ig­a­tions in or after the year 2000 are “highly likely” to have had their in­form­a­tion com­prom­ised in the breach. (This in­cludes both new ap­plic­ants and em­ploy­ees that were sub­ject to a “peri­od­ic re­in­vest­ig­a­tion” dur­ing that time.) But those who were in­vest­ig­ated be­fore 2000 also may have been af­fected.

CSID, the con­tract­or that was em­ployed to send out no­ti­fic­a­tions and provide iden­tity pro­tec­tion to the 4.2 mil­lion in­di­vidu­als af­fected by the hack an­nounced in June, is not cur­rently in­volved in the no­ti­fic­a­tion pro­cess for this data breach, a spokes­man for the com­pany said.

Law­makers and of­fi­cials cri­ti­cized CSID for its hand­ling of the earli­er no­ti­fic­a­tion pro­cess, and for mak­ing many em­ploy­ees who called in with ques­tions wait on hold for hours. It was not im­me­di­ately clear what com­pany will handle the next round of no­ti­fic­a­tions.

News of the second in­tru­sion was first re­por­ted in June and was de­scribed as a po­ten­tially dev­ast­at­ing heist of gov­ern­ment data, as hack­ers seized ex­tens­ive se­cur­ity-clear­ance in­form­a­tion from in­tel­li­gence and mil­it­ary per­son­nel. OPM said at the time that it be­came aware of the second hack while in­vest­ig­at­ing the smal­ler breach.

The size of the second breach ex­ceeds most of the es­tim­ates pre­vi­ously re­por­ted in vari­ous me­dia out­lets.

The per­son­nel agency said Thursday that it has not seen any in­dic­a­tion that the stolen in­form­a­tion has been “mis­used” or oth­er­wise dis­sem­in­ated.

(RE­LATED: Wash­ing­ton Can’t Fix Com­puter Glitches)

On Wed­nes­day, FBI Dir­ect­or James Comey re­fused to provide a spe­cif­ic num­ber when asked by mem­bers of the Sen­ate In­tel­li­gence Com­mit­tee about the size of the breach. Comey did say the hack was “enorm­ous,” however, and con­firmed that his own data had been com­prom­ised.

Sev­er­al law­makers in both parties have called for the resig­na­tions of Archu­leta and Donna Sey­mour, the chief in­form­a­tion of­ficer at OPM, since the data breaches came to light last month. A rush of state­ments Thursday ad­ded to that grow­ing chor­us build­ing against Archu­leta, from House Speak­er John Boehner, House Ma­jor­ity Whip Steve Scal­ise, and Re­pub­lic­an Sens. John Mc­Cain and Marco Ru­bio, among oth­ers.

Sen. Mark Warner, who sits on the Sen­ate In­tel­li­gence Com­mit­tee and has been in­volved in the fal­lout fol­low­ing the OPM hacks, also called for Archu­leta’s ouster late Thursday.

“The tech­no­lo­gic­al and se­cur­ity fail­ures at the Of­fice of Per­son­nel Man­age­ment pred­ate this dir­ect­or’s term, but Dir­ect­or Archu­leta’s slow and un­even re­sponse has not in­spired con­fid­ence that she is the right per­son to man­age OPM through this crisis,” the Vir­gin­ia Demo­crat said in a Thursday night state­ment. “It is time for her to step down, and I strongly urge the ad­min­is­tra­tion to choose new man­age­ment with proven abil­it­ies to ad­dress a crisis of this mag­nitude with an ap­pro­pri­ate sense of ur­gency and ac­count­ab­il­ity.”

Rep. Bar­bara Com­stock, a Vir­gin­ia Re­pub­lic­an who was no­ti­fied last month that her per­son­al in­form­a­tion had been com­prom­ised in the hacks due to her pre­vi­ous roles as a fed­er­al em­ploy­ee, chided Archu­leta for dis­play­ing “com­pla­cency, apathy “… and in­com­pet­ence” in the wake of the breach.

“It goes to the top,” Com­stock said in an in­ter­view with Na­tion­al Journ­al. “This is a fail­ure of lead­er­ship on her part, and if the pres­id­ent does not have the lead­er­ship to do this, I think she should step aside.”

At least two House Demo­crats, Reps. Ted Lieu and Jim Langev­in, the co­chair of the House cy­ber­se­cur­ity caucus, also have de­man­ded Archu­leta’s re­mov­al. Lieu and Re­pub­lic­an Rep. Steve Rus­sell went a step fur­ther Thursday, an­noun­cing that they were work­ing on le­gis­la­tion that would move the se­cur­ity-clear­ance data­base out of OPM en­tirely and in­to the hands of an un­spe­cified agency “that has a bet­ter grasp of cy­ber­threats.”

Archu­leta, for her part, has re­mained res­ol­ute in the face of with­er­ing scru­tiny. Dur­ing a Thursday press call, the one­time polit­ic­al dir­ect­or for Pres­id­ent Obama’s 2012 reelec­tion cam­paign, said she and her staff should be ap­plauded, not con­demned, for their ef­forts to up­grade the agency’s cy­ber­se­cur­ity since she took of­fice in Novem­ber 2013.

“It is be­cause the ef­forts of OPM and its staff that we’ve been able to identi­fy the breaches,” Archu­leta said. When asked dir­ectly if she or Sey­mour would resign, Archu­leta replied: “No.”

A White House spokes­man re­it­er­ated sup­port for the OPM dir­ect­or Thursday, echo­ing re­cent state­ments from White House press sec­ret­ary Josh Earn­est. In mid-June, Earn­est said that Obama “has con­fid­ence” that Archu­leta “is the right per­son for the job.”

This art­icle has been cla­ri­fied to re­flect the total num­ber of in­di­vidu­als af­fected by either OPM data breach.

What We're Following See More »
Trump Pulls the Plug on Infrastructure
58 minutes ago
Tubman $20 Bill Won't Be Unveiled Next Year
1 hours ago
Parties Go to Court Today Over Trump Banking Records
2 hours ago
Eastern Virginia Medical School Cannot Say if Northam Was in Photo
2 hours ago
Attorney General Beshear Wins Right to Face Matt Bevin
2 hours ago

Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.