OPM May Announce Size of Second Data Breach Next Week

The embattled federal agency is planning to reveal details about a breach of security-clearance information as soon as early next week, according to Hill sources.

National Journal
Kaveh Waddell and Dustin Volz
Add to Briefcase
Kaveh Waddell and Dustin Volz
June 29, 2015, 2:32 p.m.

The Of­fice of Per­son­nel Man­age­ment up­dated con­gres­sion­al staffers Monday on the status of a re­view of its data-se­cur­ity sys­tems, but con­tin­ued to duck ques­tions about the ex­tent of a data breach that af­fected fed­er­al em­ploy­ees’ sens­it­ive back­ground-check data, ac­cord­ing to mul­tiple Hill sources.

OPM and the De­part­ment of Home­land Se­cur­ity held a joint con­fer­ence call with sev­er­al con­gres­sion­al of­fices to brief them on the on­go­ing in­vest­ig­a­tion in­to a pair of massive cy­ber-in­tru­sions dis­closed over the past month that of­fi­cials privately have linked to China.

One con­gres­sion­al staffer said OPM stated on the call that it is plan­ning to an­nounce as soon as next week the size of a second breach of its serv­ers, which ex­posed highly sens­it­ive se­cur­ity-clear­ance in­form­a­tion of in­tel­li­gence and mil­it­ary per­son­nel.

The agency pushed back against any sug­ges­tion that a defin­it­ive timeline was set for a new an­nounce­ment, however. “We will make a pub­lic an­nounce­ment when we have more de­tails to share,” OPM spokes­man Samuel Schu­mach said when asked about the call. “I just don’t know a spe­cif­ic date just yet.”

OPM of­fi­cials on the call said they had not yet reached a fi­nal de­term­in­a­tion about the scope of the second breach, ac­cord­ing to mul­tiple staffers, who would speak only on con­di­tion of an­onym­ity giv­en the sens­it­iv­ity of the call.

The es­tim­ates for the total num­ber of in­di­vidu­als af­fected by the data breach has in­creased in re­cent me­dia re­ports. Last week, CNN re­por­ted that tally could be as high as 18 mil­lion, giv­en that hack­ers had ac­cess to a data­base stor­ing se­cur­ity-clear­ance forms, known as SF-86, which pos­sess a mul­ti­tude of per­son­al in­form­a­tion about fam­ily mem­bers and oth­er close af­fil­i­ates.

Of­fi­cials used the call to dis­cuss the agency’s de­cision to sus­pend use of a Web-based sys­tem to fill out de­tailed back­ground in­vest­ig­a­tions, which it pub­licly an­nounced Monday. That sys­tem has a se­cur­ity flaw that will take sev­er­al weeks to fix, the agency said, but there is no evid­ence that the flaw was ex­ploited.

The of­fi­cials did not say how long the vul­ner­ab­il­ity had ex­is­ted be­fore it was dis­covered, or ex­actly what data was af­fected, ac­cord­ing to one con­gres­sion­al staffer who was on the call.

OPM has con­sist­ently said 4.2 mil­lion former and cur­rent work­ers were af­fected by a first hack of fed­er­al em­ploy­ee data. In testi­mony last week, OPM Dir­ect­or Kath­er­ine Archu­leta re­fused to give an es­tim­ate on how many em­ploy­ees were af­fected by what of­fi­cials have de­scribed as a dis­crete second breach of far more sens­it­ive se­cur­ity-clear­ance in­form­a­tion. The re­fus­al to provide a fig­ure is be­cause the in­vest­ig­a­tion is on­go­ing, Archu­leta said.

It is not yet clear wheth­er the second set of no­ti­fic­a­tions would be sent by the same con­tract­or that was in charge of the first wave of emails and let­ters to the 4.2 mil­lion in­di­vidu­als whose data may have been af­fected by the earli­er data breach at OPM.

That con­tract­or, CSID, was cri­ti­cized by law­makers and fed­er­al em­ploy­ees for send­ing no­ti­fic­a­tions by email that some as­sumed were an­oth­er at­tempt to de­fraud them. Mem­bers of Con­gress have also cited com­plaints about long wait times—up to three hours—for calls placed to the con­tract­or for help.

OPM paid CSID about $20 mil­lion for its no­ti­fic­a­tion ser­vices.

What We're Following See More »
Trump to Begin Covering His Own Legal Bills
1 days ago
Steele Says Follow the Money
1 days ago

"Christopher Steele, the former British intelligence officer who wrote the explosive dossier alleging ties between Donald Trump and Russia," says in a new book by The Guardian's Luke Harding that "Trump's land and hotel deals with Russians needed to be examined. ... Steele did not go into further detail, Harding said, but seemed to be referring to a 2008 home sale to the Russian oligarch Dmitry Rybolovlev. Richard Dearlove, who headed the UK foreign-intelligence unit MI6 between 1999 and 2004, said in April that Trump borrowed money from Russia for his business during the 2008 financial crisis."

Goldstone Ready to Meet with Mueller’s Team
1 days ago

"The British publicist who helped set up the fateful meeting between Donald Trump Jr. and a group of Russians at Trump Tower in June 2016 is ready to meet with Special Prosecutor Robert Mueller's office, according to several people familiar with the matter. Rob Goldstone has been living in Bangkok, Thailand, but has been communicating with Mueller's office through his lawyer, said a source close to Goldstone."

Kislyak Says Trump Campaign Contacts Too Numerous to List
1 days ago

"Russian Ambassador Sergey Kislyak said on Wednesday that it would take him more than 20 minutes to name all of the Trump officials he's met with or spoken to on the phone. ... Kislyak made the remarks in a sprawling interview with Russia-1, a popular state-owned Russian television channel."

Sabato Moves Alabama to “Lean Democrat”
2 days ago

Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.