You probably know at least one person who worked for the federal government at some point, or maybe you do yourself. On Thursday the Office of Personnel Management announced that all of these people have a big problem: A breach compromised 21.5 million social security numbers in addition to those already exposed in an earlier hack.
The timeline can be hard to follow because after OPM’s June disclosure of an April hack that affected about 4.2 million employees, reports started coming out that the breach was actually much larger, perhaps affecting 18 million people. OPM’s Thursday statement finally put the speculation to rest. There were actually two hacks. OPM says:
OPM and its interagency partners concluded with a high degree of confidence that personnel data for 4.2 million individuals had been stolen. This number has not changed since it was announced by OPM in early June. … The team has now concluded with high confidence that sensitive information, including the Social Security Numbers (SSNs) of 21.5 million individuals, was [also] stolen from the background investigation databases.
Not the best.
The second hack includes 19.7 million people who themselves got background checked, plus 1.8 million “non-applicants” like spouses and family members. The National Journal reports that it was discovered in May, but had occurred a year before in May 2014. The agency says that about 1.1 million of the total 21.5 million records included fingerprints. OPM press secretary Sam Schumach said 3.6 million people overlapped between the two breaches, so the total number of individuals affected is 22.1 million.
The records, especially from the background check database but also overall, contained extensive personal information in addition to SSNs. They also frequently contained information about family members, friends, former civilian colleagues, or other people relevant to a background check or security clearance process, even if those people’s social security numbers weren’t compromised.
OPM is offering “at least” three years of free credit monitoring and other identity-theft safeguards to everyone whose SSN was compromised. People whose personal details were mentioned as references for background checks or clearances won’t get notified by the government and will have to rely on the employees and former employees themselves to notify them. “The notification package that will be sent to background investigation applicants will include detailed information that the applicant can provide to individuals he or she may have listed on a background investigation form,” OPM said.
The agency is going to set up an online portal and call center and says that it is taking steps to ensure the safety of current and new employees. Unions representing federal employees have been demanding these measures for a month.
Lawmakers are also renewing calls for OPM Director Katherine Archuleta’s resignation. (Update, July 10, 12:35 p.m.: Archuleta has resigned.) House Speaker John Boehner, House Majority Whip Steve Scalise, and other Republicans made statements to this effect on Thursday evening. Sen. Mark Warner, who is on the Senate Intelligence Committee, said in a statement:
The technological and security failures at the Office of Personnel Management predate this director’s term, but Director Archuleta’s slow and uneven response has not inspired confidence that she is the right person to manage OPM through this crisis. It is time for her to step down. …
OPM’s announcement does the very minimum to address the situation, but doesn’t show a powerful and nimble reaction to the problem. That’s not surprising, but it’s probably concerning for the one in 15 Americans who now have a potential security crisis on their hands.
Read more on Slate:
- The Social Security Number’s Insecurity: We use our SSNs for everything. Data breaches are showing why that’s so terrible.