New numbers show staggering depth of OPM breach

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

By Bob Sul­li­van, ThirdCertainty

Cyber­crim­i­nals have stolen a stag­ger­ing amount of infor­ma­tion from gov­ern­ment com­put­ers, a fed­er­al agency revealed Thurs­day, July 9. The total num­ber of vic­tims and the type of infor­ma­tion gath­ered, tak­en togeth­er, make the hack historic.

While research­ing an attack that saw the com­pro­mise of 4.5 mil­lion fed­er­al work­ers’ data, the Office of Per­son­al Man­age­ment found a sec­ond inci­dent that impacts 21.5 mil­lion peo­ple, both inside and out­side of gov­ern­ment. Crim­i­nals got away with Social Secu­ri­ty num­bers, pass­words, and in some cas­es, fin­ger­prints, the agency announced. Most fed­er­al work­ers since the year 2000 are at risk.

Secu­ri­ty & Pri­va­cy News Roundup: Stay informed of key pat­terns and trends

This includes 19.7 mil­lion indi­vid­u­als who applied for a back­ground inves­ti­ga­tion, and 1.8 mil­lion non­ap­pli­cants, pri­mar­i­ly spous­es or co-habi­tants of appli­cants,” the fed­er­al agency says on its web­site. “Some records also include find­ings from inter­views con­duct­ed by back­ground inves­ti­ga­tors, and approx­i­mate­ly 1.1 mil­lion include fin­ger­prints. User­names and pass­words that back­ground inves­ti­ga­tion appli­cants used to fill out their back­ground inves­ti­ga­tion forms were also stolen.”

The fed­er­al gov­ern­ment, iron­i­cal­ly, had col­lect­ed the data stolen to com­plete back­ground checks on poten­tial and cur­rent employees.

If you under­went a back­ground inves­ti­ga­tion through OPM in 2000 or after­ward … it is high­ly like­ly that you are impact­ed by the inci­dent involv­ing back­ground inves­ti­ga­tions. If you under­went a back­ground inves­ti­ga­tion pri­or to 2000, you still may be impact­ed, but it is less like­ly,” the agency said.

Ref­er­ences’ data also nabbed

Back­ground checks also can include non­spous­es used essen­tial­ly for ref­er­ences. While those indi­vid­u­als also had their data stolen, they are at a much low­er risk, OPM says.

Beyond appli­cants and their spous­es or co-habi­tants … you may be some­one whose name, address, date of birth, or oth­er sim­i­lar infor­ma­tion may have been list­ed on a back­ground inves­ti­ga­tion form. In many cas­es, the infor­ma­tion about these peo­ple is the same as what is gen­er­al­ly avail­able in pub­lic forums such as online direc­to­ries or social media,” OPM says.

After the fact, pro­tec­tion for life

Fed­er­al work­ers will receive cred­it mon­i­tor­ing and oth­er iden­ti­ty theft pro­tec­tion ser­vices, though the OPM says there is no evi­dence the data has been used for finan­cial fraud. Numer­ous reports indi­cate that fed­er­al offi­cials blame com­put­er crim­i­nals work­ing on behalf of the Chi­nese gov­ern­ment for the attack. While there has been no offi­cial con­fir­ma­tion of that, and no evi­dence sup­plied, it’s easy to see how this trea­sure trove of data on fed­er­al workers—including fingerprints—would be use­ful in inter­na­tion­al espi­onage. Ear­li­er this week, FBI Direc­tor James Comey said his own per­son­al infor­ma­tion had been com­pro­mised in the incident.

OPM urges work­ers to change their pass­words and mon­i­tor their cred­it reports for signs of abuse. The agency soon will open a call cen­ter just to deal with ques­tions about the incident.

OPM con­tin­ues to take aggres­sive action to strength­en its broad­er cyber defens­es and infor­ma­tion tech­nol­o­gy (IT) sys­tems, in part­ner­ship with experts from DoD, DHS, FBI and oth­er inter­a­gency part­ners,” the agency said.

More on emerg­ing threats
Cor­po­rate use of cloud apps spikes risk of breaches
Word­Press emerges as a cyber­crime hotbed
Mali­cious ads pose insid­i­ous, elu­sive threat


Posted in Data Breach, Data breaches