The US Office of Personnel Management now says its analysis of a breach discovered in late May has affected 21.5 million people—about 5 times more than the office originally announced.
A team investigating the massive cyber breach “has now concluded with high confidence that sensitive information, including Social Security numbers of 21.5 million individuals, was stolen from the background investigation databases.”
Essentially, every person given a government background check for at least the last 15 years could have been affected. “If an individual underwent a background investigation through OPM in 2000 or afterwards, it is highly likely that the individual is impacted by this cyber breach,” said OPM’s statement.
OPM posts federal job openings, conducts background checks and security clearances, manages pension benefits for retired employees, administers health insurance and other insurance programs to employees, and provides training and development programs for employees and government agencies.
The agency said it has untaken an effort to update its cybersecurity position and has since found two related cyber breaches. Early in June OPM said it would be notifying 4 million employees who may have had personally identifiable information stolen as the OPM worked to get a handle on a cyber security incident. The office said that number hasn’t changed and it has worked to notify those affected, and now it has found this second separate but related cyber incident.
OPM said the latest found breach includes 19.7 million people who applied for a background investigation and 1.8 million non-applicants—spouses or cohabitants of applicants. About 1.1 million affected records include fingerprints.
Background checks of current and former federal employees include Social Security numbers, addresses, education history, employment history, criminal and financial history, and information about immediate family as well as other personal or business acquaintances.
“There is no information at this time to suggest any misuse or further dissemination of the information that was stolen from OPM’s systems,” said the office in a statement.
OPM said there is no evidence other systems were breached that contain health, financial, payroll and retirement records of government employees.
The latest announcement confirms what had been expected almost immediately after OPM made its original announcement in early June and OPM Director Katherine Archuleta has faced heavy criticism, with some calling for her to resign.
(UPDATE: Katherine Archuleta, Director of Office of Personnel Management, Resigns)
According to reports, China has surfaced as the leading suspect for the hack.
The American Federation of Government Employees, the largest federal employee union, on June 29 filed a class-action lawsuit against the US OPM, Archuleta, its CIO, and a government service provider.
The AFGE alleges that despite being “on notice of significant deficiencies in its cyber security protocol” since at least 2007, OPM failed to protect the personal data it held.
Chad Hemenway is Managing Editor of Advisen News. He has more than 15 years of journalist experience at a variety of online, daily, and weekly publications. He has covered P&C insurance news since 2007, and he has experience writing about all P&C lines as well as regulation and litigation. Chad won a Jesse H. Neal Award for Best Single Article in 2014 for his coverage of the insurance implications of traumatic brain injuries and Best News Coverage in 2013 for coverage of Superstorm Sandy. Contact Chad at 212.897.4824 or [email protected].
