New numbers show staggering depth of OPM breach
By Bob Sullivan, ThirdCertainty
Cybercriminals have stolen a staggering amount of information from government computers, a federal agency revealed Thursday, July 9. The total number of victims and the type of information gathered, taken together, make the hack historic.
While researching an attack that saw the compromise of 4.5 million federal workers’ data, the Office of Personal Management found a second incident that impacts 21.5 million people, both inside and outside of government. Criminals got away with Social Security numbers, passwords, and in some cases, fingerprints, the agency announced. Most federal workers since the year 2000 are at risk.
Security & Privacy News Roundup: Stay informed of key patterns and trends
“This includes 19.7 million individuals who applied for a background investigation, and 1.8 million nonapplicants, primarily spouses or co-habitants of applicants,” the federal agency says on its website. “Some records also include findings from interviews conducted by background investigators, and approximately 1.1 million include fingerprints. Usernames and passwords that background investigation applicants used to fill out their background investigation forms were also stolen.”
The federal government, ironically, had collected the data stolen to complete background checks on potential and current employees.
“If you underwent a background investigation through OPM in 2000 or afterward … it is highly likely that you are impacted by the incident involving background investigations. If you underwent a background investigation prior to 2000, you still may be impacted, but it is less likely,” the agency said.
References’ data also nabbed
Background checks also can include nonspouses used essentially for references. While those individuals also had their data stolen, they are at a much lower risk, OPM says.
“Beyond applicants and their spouses or co-habitants … you may be someone whose name, address, date of birth, or other similar information may have been listed on a background investigation form. In many cases, the information about these people is the same as what is generally available in public forums such as online directories or social media,” OPM says.
After the fact, protection for life
Federal workers will receive credit monitoring and other identity theft protection services, though the OPM says there is no evidence the data has been used for financial fraud. Numerous reports indicate that federal officials blame computer criminals working on behalf of the Chinese government for the attack. While there has been no official confirmation of that, and no evidence supplied, it’s easy to see how this treasure trove of data on federal workers—including fingerprints—would be useful in international espionage. Earlier this week, FBI Director James Comey said his own personal information had been compromised in the incident.
OPM urges workers to change their passwords and monitor their credit reports for signs of abuse. The agency soon will open a call center just to deal with questions about the incident.
“OPM continues to take aggressive action to strengthen its broader cyber defenses and information technology (IT) systems, in partnership with experts from DoD, DHS, FBI and other interagency partners,” the agency said.