OPM May Announce Size of Second Data Breach Next Week

The embattled federal agency is planning to reveal details about a breach of security-clearance information as soon as early next week, according to Hill sources.

National Journal
Kaveh Waddell and Dustin Volz
Add to Briefcase
Kaveh Waddell and Dustin Volz
June 29, 2015, 2:32 p.m.

The Of­fice of Per­son­nel Man­age­ment up­dated con­gres­sion­al staffers Monday on the status of a re­view of its data-se­cur­ity sys­tems, but con­tin­ued to duck ques­tions about the ex­tent of a data breach that af­fected fed­er­al em­ploy­ees’ sens­it­ive back­ground-check data, ac­cord­ing to mul­tiple Hill sources.

OPM and the De­part­ment of Home­land Se­cur­ity held a joint con­fer­ence call with sev­er­al con­gres­sion­al of­fices to brief them on the on­go­ing in­vest­ig­a­tion in­to a pair of massive cy­ber-in­tru­sions dis­closed over the past month that of­fi­cials privately have linked to China.

One con­gres­sion­al staffer said OPM stated on the call that it is plan­ning to an­nounce as soon as next week the size of a second breach of its serv­ers, which ex­posed highly sens­it­ive se­cur­ity-clear­ance in­form­a­tion of in­tel­li­gence and mil­it­ary per­son­nel.

The agency pushed back against any sug­ges­tion that a defin­it­ive timeline was set for a new an­nounce­ment, however. “We will make a pub­lic an­nounce­ment when we have more de­tails to share,” OPM spokes­man Samuel Schu­mach said when asked about the call. “I just don’t know a spe­cif­ic date just yet.”

OPM of­fi­cials on the call said they had not yet reached a fi­nal de­term­in­a­tion about the scope of the second breach, ac­cord­ing to mul­tiple staffers, who would speak only on con­di­tion of an­onym­ity giv­en the sens­it­iv­ity of the call.

The es­tim­ates for the total num­ber of in­di­vidu­als af­fected by the data breach has in­creased in re­cent me­dia re­ports. Last week, CNN re­por­ted that tally could be as high as 18 mil­lion, giv­en that hack­ers had ac­cess to a data­base stor­ing se­cur­ity-clear­ance forms, known as SF-86, which pos­sess a mul­ti­tude of per­son­al in­form­a­tion about fam­ily mem­bers and oth­er close af­fil­i­ates.

Of­fi­cials used the call to dis­cuss the agency’s de­cision to sus­pend use of a Web-based sys­tem to fill out de­tailed back­ground in­vest­ig­a­tions, which it pub­licly an­nounced Monday. That sys­tem has a se­cur­ity flaw that will take sev­er­al weeks to fix, the agency said, but there is no evid­ence that the flaw was ex­ploited.

The of­fi­cials did not say how long the vul­ner­ab­il­ity had ex­is­ted be­fore it was dis­covered, or ex­actly what data was af­fected, ac­cord­ing to one con­gres­sion­al staffer who was on the call.

OPM has con­sist­ently said 4.2 mil­lion former and cur­rent work­ers were af­fected by a first hack of fed­er­al em­ploy­ee data. In testi­mony last week, OPM Dir­ect­or Kath­er­ine Archu­leta re­fused to give an es­tim­ate on how many em­ploy­ees were af­fected by what of­fi­cials have de­scribed as a dis­crete second breach of far more sens­it­ive se­cur­ity-clear­ance in­form­a­tion. The re­fus­al to provide a fig­ure is be­cause the in­vest­ig­a­tion is on­go­ing, Archu­leta said.

It is not yet clear wheth­er the second set of no­ti­fic­a­tions would be sent by the same con­tract­or that was in charge of the first wave of emails and let­ters to the 4.2 mil­lion in­di­vidu­als whose data may have been af­fected by the earli­er data breach at OPM.

That con­tract­or, CSID, was cri­ti­cized by law­makers and fed­er­al em­ploy­ees for send­ing no­ti­fic­a­tions by email that some as­sumed were an­oth­er at­tempt to de­fraud them. Mem­bers of Con­gress have also cited com­plaints about long wait times—up to three hours—for calls placed to the con­tract­or for help.

OPM paid CSID about $20 mil­lion for its no­ti­fic­a­tion ser­vices.

What We're Following See More »
SCOTUS Throws Out Immigrant’s Conviction, Citing Poor Representation
2 hours ago

"The U.S. Supreme Court on Friday threw out a legal immigrant's drug conviction on the grounds that his lawyer had failed to advise him that he could be deported to his native South Korea if found guilty. The court ruled 6-2 in favor of Jae Lee, who ran two restaurants in Memphis, Tennessee and has lived in the United States since 1982 when he was 12. Despite the ruling, Lee could still be deported if he is tried and convicted again for the drug offense."

Carrier Moving 600 Jobs to Mexico
5 hours ago
Jets Owner Woody Johnson Nominated as Ambassador to UK
5 hours ago
Sens. Paul, Cruz, Johnson and Lee Oppose Senate Health Care Bill
23 hours ago

The four Senators released a joint statement, saying in part, "There are provisions in this draft that repreesnt an improvement to our current health care system, but it does not appear this draft as written will accomplish the most important promise we made to Americans: to repeal Obamacare and lower their health care costs."

No Comey Tapes
1 days ago

Trump tweeted Thursday afternoon, "With all of the recently reported electronic surveillance, intercepts, unmasking and illegal leaking of information, I have no idea whether there are "tapes" or recordings of my conversations with James Comey, but I did not make, and do not have, any such recordings."


Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.