The Office of Personnel Management announced today that 21.5 million people were affected by the cyber breach of its background investigation databases. This includes current, former and prospective federal employees and contractors.
“Since learning of the incident affecting background investigation records, OPM and the interagency incident response team have moved swiftly and thoroughly to assess the breach, analyze what data may have been stolen, and identify those individuals who may be affected,” OPM said in a press release. “The team has now concluded with high confidence that sensitive information, including the Social Security Numbers (SSNs) of 21.5 million individuals, was stolen from the background investigation databases. This includes 19.7 million individuals that applied for a background investigation and 1.8 million non-applicants, predominantly spouses or co-habitants of applicants.”
Some of the breached records include interviews conducted by background investigators along with approximately 1.1 million fingerprints. During an afternoon press briefing, OPM Director Katherine Archuleta elaborated on the information exposed during the cyber breach.
“OPM has determined that the types of information in these records include identification details such as Social Security Numbers; residency and educational history; employment history; information about immediate family and other personal and business acquaintances; health, criminal and financial history; and other details,” Archuleta said.
In addition, usernames and passwords that individuals used to complete their background application forms were stolen.
The 21.5 million total includes 3.6 million individuals whose personnel records were stolen during a separate, but related, cyber breach. That breach was discovered in April by OPM and affected 4.2 million people overall.
Few other details of who committed the hacks and how they did it were revealed. However, Andy Ozment, assistant secretary of the Office of Cybersecurity and Communications at the Department of Homeland Security, explained the timeframe when the offenders breached the system — May 2014 to April 2015. During that span, though, he said the hackers were only active between June 2014 and January 2015.
Ozment added that the same bad actors were responsible for both breaches. When asked if the hackers were from China, as some news outlets have reported, he declined to say, citing the ongoing nature of the investigation.
An analysis of OPM’s systems indicates the hackers are no longer active.
Archuleta said there is no proof at this time of “any misuse or further dissemination of the information that was stolen from OPM’s system” and no evidence that separate systems that store information regarding the health, financial, payroll and retirement records of federal personnel were affected during this infiltration.
What the forensic investigation did discover is that when individuals underwent background checks matters quite a bit in relation to whether they’re part of the 21.5 million people affected. OPM said it is “highly likely” that anyone who filled out an SF 86, SF 85 or SF 85P form in 2000 or later was breached. Those who submitted forms before 2000 “may be impacted, but it is less likely.”
OPM recommends that Individuals who used the Electronic Questionnaires for Investigations Processing (e-QIP) system to process their security clearance forms change their e-QIP passwords. OPM took the e-QIP system offline earlier this month for cybersecurity fixes.
Next steps for the 21.5 million affected
To help the victims, Archuleta said OPM and the Department of Defense will work with a contractor to provide a suite of credit and identity theft monitoring and protection services for both background investigation applicants and non-applicants whose sensitive information was stolen. The protections will be provided for at least three years free of charge.
“Individualized notification packages offering these services, with further details on the incident, will be sent in the coming weeks,” Archuleta wrote in a blog post. “We will be incorporating lessons learned and feedback from stakeholders about the notification process just completed for a related cybersecurity incident.”
Individuals affected by the second breach will receive a notice in the mail describing the intrusion and what services will be available to them. According to OPM, affected individuals will receive:
OPM, however, will not be providing the same level of assistance for the people listed on background investigation forms whose Social Security Numbers were not included.
“There are other individuals whose name, address, date of birth, or other similar information may have been listed on a background investigation form. … In many cases, the information about these individuals is the same as information generally available in public forums, such as online directories or social media, and therefore the compromise of this information generally does not present the same level of risk of identity theft or other issues,” OPM said.
Archuleta’s agency is also developing “a proposal for types of credit and identity theft monitoring services that should be provided to all federal employees in the future,” she said.
In response, the Professional Services Council released a statement saying that the administration is “taking the right steps to protect all affected parties.”
“They’re doing now what we urged them and our member companies to do before this announcement, which is to offer a full array of identity theft monitoring tools to give those at risk peace of mind in this disturbing and difficult time,” PSC President and CEO Stan Soloway said.
Going forward, OPM is establishing both a call center and an online incident resource center to offer more information and materials. The call center is not yet open. But in the meantime, individuals can go to https://www.opm.gov/cybersecurity, which will be regularly updated.
OPM’s comprehensive review of its IT systems will continue in order to identify and address any other vulnerabilities.
“In light of recent events, I have requested a review of key questions related to information security, governance, policy, and other aspects of the security and suitability determination process to ensure that it is conducted in the most efficient, effective and secure manner possible,” Archuleta said.
The review will be completed by the Suitability and Security Performance and Accountability Council, which is an interagency group chaired by the Office of Management and Budget and made up of Archuleta and Director of National Intelligence James Clapper, as well as representatives from the FBI, the departments of Defense, Homeland Security, Justice and Energy, among others.
The White House this afternoon, as the news was breaking, reiterated its dedication to ward off cyber threats by listing off its efforts over the past six months. These include holding the White House Summit on Cybersecurity and Consumer Protection, and the Department of Homeland Security’s continual development of a system to automate the sharing of cyber threat indicators between the private sector and government.
Criticism of OPM continues
Others are voicing harsh criticism emphasizing that the hack has turned out to be six times larger than OPM initially reported.
Sen. Ron Johnson (R-Wis.), chairman of the Senate Committee on Homeland Security and Governmental Affairs, said the announcement confirmed what the media and FBI have been saying for the past month.
“Today’s announcement shows not only that cybersecurity on federal agency networks has been grossly inadequate but that the management of the OPM is not up to the task of fixing the problem,” Johnson said via a statement. “The agency and the administration have not even been able to correctly define the scope of the problem. This will have grave consequences for national security.”
Sen. James Lankford (R-Okla.), a member of the Senate Intelligence Committee and the chairman of the Senate Subcommittee on Regulatory Management and Federal Workforce, called the breach a “major national crisis.”
“The string of continuing bad news is the result of years of failed cybersecurity policy and a large bureaucratic government that is slow to respond and react to emerging threats,” he said in a statement. “OPM’s historic inability to adapt and upgrade their processes are well documented. This is not an issue of legacy hardware, it is a problem with legacy security processes.”
In addition, the National Treasury Employees Union is going ahead with legal action against OPM. NTEU National President Colleen M. Kelley said the union remains supportive of legislation being prepared by Sen. Ben Cardin (D-Md.) and Del. Eleanor Holmes Norton (D-D.C.) to provide lifetime credit and ID-fraud protection to everyone who was affected by the hacks.
“NTEU continues to be outraged that so many of our members have had their personal information compromised due to these breaches,” Kelley said. “We will continue to pursue our lawsuit to provide lifetime credit monitoring and identity theft protection for our members and we will be supporting legislation to be introduced in the next few days. We will also continue to press OPM, OMB, Congress and the President to increase the protections and the level of service provided to those affected as well as to ensure that this never happens again.”
Putting the breaches into a wider cybersecurity context
Michael Daniel, special assistant to the President and Cybersecurity Coordinator on the National Security Council, said during the briefing, the second OPM breach is not without precedent.
“We live in a world where the cybersecurity threats that we are facing are consistently growing broader as we hook more and more stuff up to the Internet,” he said. “The adversaries are growing more sophisticated as they bring organizational techniques into what they are doing in cyberspace. They are becoming more dangerous, as adversaries are willing to cross lines that use to hold back from. It’s becoming increasingly a tool used by criminal organizations and nation-states to try to accomplish their goals.”
Daniel outlined three things the U.S. needs to do effectively to deal with this threat.
“We have to raise our level of cybersecurity in both the private sector and in the public sector, and we need to do that in both the short-term and in the long run,” he said. “We also need to enhance our ability to deter, disrupt, and interrupt what the bad guys are doing in cyberspace. And lastly, we need to improve our ability to respond and recover from incidents when they do occur.”
Daniel concluded by saying that cybersecurity is not just about technology; it’s about changing one’s mindset and the culture.
“Certainly, during the Cold War, nobody would’ve thought of OPM as a target for identity theft or espionage,” he said. “Just the nature of paper files and the way we thought about information didn’t lend itself to that. And the truth is that both in the private sector and in the public sector, we have not fully made the shift to what living in a truly digital environment means for how we have to think about the kinds of information we have, where it’s stored, how it’s stored, how we’re protecting it and how we need to think of that in a much more integrated fashion.”
Archuleta’s pledges going forward
As she explained next steps, OPM’s director expressed empathy for those affected and a commitment to do better.
“I truly understand the impact this has on our current and former federal employees, our military personnel and our contractors,” Archuleta said. “Each and every one of us at OPM is committed to protecting the safety and the security of the information that is placed in our trust, and we remain committed to everything in our power to assist those that have been impacted by this incident. And we will continue with my strategic plan to safeguard our systems and data.”
Following the initial release of information about the two cyber breaches, some have called for the resignations of Archuleta and OPM Chief Information Officer Donna Seymour.
Archuleta reaffirmed her support of Seymour and her commitment to the work she is doing.
“We are working very hard, not only at OPM but across government to ensure the cybersecurity of all of our systems, and I will continue to do so,” she said.