OPM May Announce Size of Second Data Breach Next Week

The embattled federal agency is planning to reveal details about a breach of security-clearance information as soon as early next week, according to Hill sources.

National Journal
Kaveh Waddell and Dustin Volz
Add to Briefcase
Kaveh Waddell and Dustin Volz
June 29, 2015, 2:32 p.m.

The Of­fice of Per­son­nel Man­age­ment up­dated con­gres­sion­al staffers Monday on the status of a re­view of its data-se­cur­ity sys­tems, but con­tin­ued to duck ques­tions about the ex­tent of a data breach that af­fected fed­er­al em­ploy­ees’ sens­it­ive back­ground-check data, ac­cord­ing to mul­tiple Hill sources.

OPM and the De­part­ment of Home­land Se­cur­ity held a joint con­fer­ence call with sev­er­al con­gres­sion­al of­fices to brief them on the on­go­ing in­vest­ig­a­tion in­to a pair of massive cy­ber-in­tru­sions dis­closed over the past month that of­fi­cials privately have linked to China.

One con­gres­sion­al staffer said OPM stated on the call that it is plan­ning to an­nounce as soon as next week the size of a second breach of its serv­ers, which ex­posed highly sens­it­ive se­cur­ity-clear­ance in­form­a­tion of in­tel­li­gence and mil­it­ary per­son­nel.

The agency pushed back against any sug­ges­tion that a defin­it­ive timeline was set for a new an­nounce­ment, however. “We will make a pub­lic an­nounce­ment when we have more de­tails to share,” OPM spokes­man Samuel Schu­mach said when asked about the call. “I just don’t know a spe­cif­ic date just yet.”

OPM of­fi­cials on the call said they had not yet reached a fi­nal de­term­in­a­tion about the scope of the second breach, ac­cord­ing to mul­tiple staffers, who would speak only on con­di­tion of an­onym­ity giv­en the sens­it­iv­ity of the call.

The es­tim­ates for the total num­ber of in­di­vidu­als af­fected by the data breach has in­creased in re­cent me­dia re­ports. Last week, CNN re­por­ted that tally could be as high as 18 mil­lion, giv­en that hack­ers had ac­cess to a data­base stor­ing se­cur­ity-clear­ance forms, known as SF-86, which pos­sess a mul­ti­tude of per­son­al in­form­a­tion about fam­ily mem­bers and oth­er close af­fil­i­ates.

Of­fi­cials used the call to dis­cuss the agency’s de­cision to sus­pend use of a Web-based sys­tem to fill out de­tailed back­ground in­vest­ig­a­tions, which it pub­licly an­nounced Monday. That sys­tem has a se­cur­ity flaw that will take sev­er­al weeks to fix, the agency said, but there is no evid­ence that the flaw was ex­ploited.

The of­fi­cials did not say how long the vul­ner­ab­il­ity had ex­is­ted be­fore it was dis­covered, or ex­actly what data was af­fected, ac­cord­ing to one con­gres­sion­al staffer who was on the call.

OPM has con­sist­ently said 4.2 mil­lion former and cur­rent work­ers were af­fected by a first hack of fed­er­al em­ploy­ee data. In testi­mony last week, OPM Dir­ect­or Kath­er­ine Archu­leta re­fused to give an es­tim­ate on how many em­ploy­ees were af­fected by what of­fi­cials have de­scribed as a dis­crete second breach of far more sens­it­ive se­cur­ity-clear­ance in­form­a­tion. The re­fus­al to provide a fig­ure is be­cause the in­vest­ig­a­tion is on­go­ing, Archu­leta said.

It is not yet clear wheth­er the second set of no­ti­fic­a­tions would be sent by the same con­tract­or that was in charge of the first wave of emails and let­ters to the 4.2 mil­lion in­di­vidu­als whose data may have been af­fected by the earli­er data breach at OPM.

That con­tract­or, CSID, was cri­ti­cized by law­makers and fed­er­al em­ploy­ees for send­ing no­ti­fic­a­tions by email that some as­sumed were an­oth­er at­tempt to de­fraud them. Mem­bers of Con­gress have also cited com­plaints about long wait times—up to three hours—for calls placed to the con­tract­or for help.

OPM paid CSID about $20 mil­lion for its no­ti­fic­a­tion ser­vices.

What We're Following See More »
DOJ Indicts Another Russian National
13 hours ago
Top Staffer in FBI's Russia Probe Leaves for Private Sector
19 hours ago

"A senior FBI official overseeing a government task force that addresses Russian attempts to meddle in U.S. elections has left the government for a job in the private sector, a departure that comes just months ahead of the 2018 midterm contests. Jeffrey Tricoli had been coleading the FBI foreign influence task force until June, when he left government work for a senior vice president job at Charles Schwab Corp. , the company confirmed."

Trump, Putin Meeting Surpasses Two Hours
19 hours ago
Germany Says It Can No Longer Rely on U.S.
19 hours ago

German foreign minister Heiko Maas "said on Monday Europe could not rely on Donald Trump and needed to close ranks after the U.S. president called the European Union a 'foe' with regard to trade." He added: "To maintain our partnership with the USA we must readjust it. The first clear consequence can only be that we need to align ourselves even more closely in Europe.”

Roger Stone Says He's the Unnamed Person in Mueller's Indictment
1 days ago

"The mercurial veteran GOP political operative, Roger Stone, has acknowledged that he is the unnamed Trump campaign regular who corresponded with an alleged Russian hacker, as described in a new indictment against a dozen Russians returned Friday by a federal grand jury." He told ABC News that he previously admitted to the contact to House investigators. He called the correspondence "benign."


Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.