OPM Officials: Database Breach Exposed Information of 21.5M
July 10, 2015 in News
On Thursday, the Office of Personnel Management announced that 21.5 million individuals were affected by a data breach targeting the agency’s security clearance database, which contains personal information including health history, FCW reports (Noble, FCW, 7/9).
According to a government official who asked to remain anonymous, investigators uncovered the breach while determining the extent of a separate incident that officials disclosed on June 4.
The affected database contains copies of Standard Form 86, a questionnaire filled out by applicants for national security positions. The forms can include health data, such as treatments or hospitalizations for “an emotional or mental health condition,” among other information.
In addition, the forms include:
- Information on applicants’ contacts and relatives; and
- Social Security numbers.
Security experts and some officials say evidence from the two incidents suggest the cyberattacks were carried out by Chinese hackers (iHealthBeat, 6/15).
The size of the security clearance database breach is greater than estimates initially reported by many media outlets, according to National Journal (Waddell/Volz, National Journal, 7/9).
The 21.5 million individuals whose information was accessed include:
- 19.7 million individuals who had undergone a government background check; and
- 1.8 million others, such as spouses and acquaintances of those who had background checks (Hirschfeld Davis, New York Times, 7/9).
OPM said that individuals who applied for a background check after 2000 were mostly likely to have had their information accessed. Nonetheless, information on individuals who applied prior to 2000 could have been accessed as well, according to OPM (FCW, 7/9).
In the incident, OPM said certain sensitive background information was compromised, which could include:
- Details about relatives;
- Employment history; and
- Past mental health issues or substance misuse.
According to OPM, 1.1 million of the files included fingerprints.
Further, OPM noted that some files in the compromised database included:
- Criminal history;
- Educational and residency history;
- Employment history;
- Financial history;
- Information about family members and acquaintances; and
- Health history (National Journal, 7/9).
OPM Director Katherine Archuleta said there was “no information at this time to suggest any misuse or further dissemination of the information that was stolen from OPM’s system.”
Individuals who are affected by the breach will be eligible for no-cost credit and identity theft monitoring (New York Times, 7/9).
In addition, senators from Maryland and Virginia and Del. Eleanor Holmes Norton (D-D.C.) have introduced legislation that would offer $5 million in identity theft insurance and provide no-cost lifetime identity protection to those affected (Davidson, “Federal Eye,” Washington Post, 7/9).
To share information and answer questions about the incident, OPM has:
- Launched a website; and
- Said it will operate a dedicated call center (FCW, 7/9).
OPM Director Resigns
A White House official said Archuleta will resign, effective Friday. According to the official, Archuleta said new leadership was necessary to move OPM “beyond the current challenges.”
Beth Cobert, the deputy director of management at OPM, will take the position temporarily until a replacement is found (Hirschfeld Davis, New York Times, 7/10).
In response to the data breach incidents, many lawmakers had called for Archuleta and OPM CIO Donna Seymour to resign (National Journal, 7/9).