Breach Notification , Breach Preparedness , Breach Response

Millions More Affected by OPM Breach

Estimated Victim Count Expands to as Many as 14 Million
Millions More Affected by OPM Breach

The apparent severity of what's being called one of the biggest U.S. government breaches in history continues to expand, now potentially stretching to include three decades' worth of background checks and security clearance investigations.

See Also: IoT is Happening Now: Are You Prepared?

Investigators reportedly now believe that 4.2 million current federal employees, as well as up to 10 million former federal employees and contractors, may have had their personal details stolen by attackers who hacked into U.S. Office of Personnel Management systems in the second breach of the agency found in the past year (see Report: OPM Breach Found During Demo).

Speaking on condition of anonymity due to related information remaining classified, a Congressional official and a former U.S. official - who have been briefed on the breach investigation - told the Associated Press that current estimates place the number of records exposed in the second breach at between 9 million and 14 million, and stretch back to the 1980s. That breach tally represents a marked increased from the 4 million records that the Obama administration first said it believed may have been exposed.

Exclusive Webinar: OPM Breach Aftermath: How Your Agency Can Improve on Breach Prevention Programs

Multiple U.S. administration officials - as well as some third-party security experts - say that the breach appears to trace to China (see OPM Breach: The Unanswered Questions). "This was the most significant breach of federal networks in U.S. history," Mike McCaul (R-Texas), chair of the House homeland security committee, said June 14 on CBS's "Face the Nation" program. "Now, in my judgment this was an attack by China against the United States government. It quantifies to espionage, and that raises all sorts of issues that we need to deal with."

Chinese Foreign Ministry spokesman Hong Lei has labeled any suggestion that the Chinese government was tied to the OPM breach as "groundless."

Whoever the culprit, the updated tally of breach victims appears to confirm fears first voiced last week by the American Federation of Government Employees union - which represents 670,000 employees - that the severity of the breach was much worse than the Obama administration was reporting. And while officials have confirmed that some version of the Department of Homeland Security's Einstein intrusion prevention and detection system was in place, it apparently failed to stop the breach (see Dissecting the OPM Breach).

Now, in the wake of reports that appear to confirm that assessment, the National Federation of Federal Employees has renewed its calls for the White House to share what it knows. "Federal employees are concerned that the scope of the cybersecurity breach is bigger and more serious than we were first told," says NFFE president William Dougan. "Federal employees are not happy with how this matter has been handled. We want some straight-talking from the administration on this issue, and we want it now."

At Risk: National Security Employees

Hackers reportedly accessed OPM repositories that stored copies of the U.S. government's Standard Form 85 - Questionnaire for Non-Sensitive Positions - and Standard Form 86 - Questionnaire For National Security Positions.

From a national security standpoint, the exposure of data from the 127-page Form SB-86 could be especially damaging, because it requires any federal employee who seeks clearance to work with classified data to share personal information relating to mental illnesses, alcohol or drug abuse, bankruptcies and love affairs. Some military and intelligence agency employees, as well as all Secret Service, federal law enforcement agencies, and employees for other sensitive U.S. government posts, must submit such information. And their personal details may now be in the hands of foreign spies, experts warn, and could become tools for blackmailing or influencing U.S. officials, or else deducing which employees inside foreign embassies are likely intelligence agents working under diplomatic cover.

"It has more data than a mortgage application," Phillip Carter, a senior fellow at the Center for a New American Security - and a lawyer who has handled security-clearance cases - tells The Wall Street Journal.

While the Central Intelligence Agency conducts its own background and clearance-related investigations, the National Security Agency, State Department and Department of Defense all make at least some use of the OPM's services, Reuters reports.

The SB-86 form warns that providing inaccurate information or false statements can be punished with fines or up to five years of imprisonment. "The information you provide is for the purpose of investigating you for a national security position, and the information will be protected from unauthorized disclosure," the form says.

Deeply Personal Information

Evidence of the type of information contained in these forms is illustrated by the case of a 51-year-old defense contractor and military veteran who disclosed in the "additional comments" section of form SB-86 that he had been conducting an affair for more than 20 years with his former college roommate's wife. His case came to light - as Reuters first reported - after a judge upheld the man's appeal to the Defense Department's Office Of Hearings and Appeals that he should be granted a higher security clearance, for which he had been denied, after voluntarily disclosing the affair.

In a May 13 decision, the administrative judge who heard the man's case - his identity is not disclosed in the ruling - noted that the "applicant and his friend's wife ended the affair in 2013" and that "applicant told his wife about the affair in October 2014."

"The DoD is aware of the affair because applicant disclosed it on his SF 86; the affair is over; and the key people in applicant's life are aware of it," the judge wrote, granting the man's request to receive an elevated security clearance and continue to have access to classified information.

Thanks to the OPM breach, however, those personal details may now also be in the hands of hackers or a foreign government.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network