Governance & Risk Management , Incident & Breach Response , Managed Detection & Response (MDR)
OPM Breach Numbers 'Enormous'
FBI Director Says Scope to be Revealed Soon; New Lawsuit Filed (Editor's Note: Katherine Archuleta resigned July 10 as director of the Office of Personnel Management. See the latest update for more information.)How bad was the U.S. Office of Personnel Management data breach?
See Also: Gartner Market Guide for DFIR Retainer Services
Really bad, FBI Director James Comey told the Senate Intelligence Committee at a July 8 hearing, noting that the cyber-attack against OPM had resulted in an "enormous breach," The Wall Street Journal reports (see Analysis: Why the OPM Breach Is So Bad).
Comey says the White House soon plans to issue an announcement that "millions and millions" of records relating to government background checks were stolen, dating back for at least two decades. That squares with reports that in recent weeks, Comey had already made the same observations to U.S. senators in closed-door briefings (see OPM Breach Victims: Tens of Millions?).
OPM announced on June 4 that the personnel files for 4.2 million current and former federal workers - including names, addresses, Social Security numbers and other personal information - were exposed via a 2014 hack of its systems. On June 12, OPM then warned that millions of employees' Standard Form 86, or SF-86, background-check records had also been exposed, though it has yet to quantify how many people may have been affected.
To date, the White House has not attributed the OPM hack to any person or state, but is has acknowleged that it is weighing sanctions. U.S. Director of National Intelligence James Clapper, however, has noted that the "leading suspect" behind the attack is China. The Chinese government, however, has denied having any involvement in the hack attack.
Second Union Sues OPM
As the reported scope of the breach continues to expand, so do the political and legal repercussions. Last month, the American Federation of Government Employees union, which represents 670,000 employees, filed a class-action lawsuit against both OPM and multiple OPM officials (see OPM Suspends Background Check System).
Now, the National Treasury Employees Union, which represents 150,000 employees, has filed a breach-related suit against OPM. Its lawsuit, filed July 8, alleges that the agency violated NTEU members' constitutional rights by failing to safeguard their personal information (see Why So Many Data Breach Lawsuits Fail).
"Federal employees entrust highly personal information to OPM with the expectation that it will be kept confidential and safe from unauthorized access," says NTEU President Colleen M. Kelley. "OPM's failure to do so violated our members' constitutional right to informational privacy."
The union is demanding that OPM provide all NTEU members with lifetime credit-monitoring services and identity theft protection, pursue steps to better secure its security infrastructure and not collect any electronic data from NTEU members until a court signs off on the agency's information security upgrades.
"We believe that a lawsuit is the best way to force OPM to take immediate steps to safeguard personnel data, prevent such attacks in the future and help our members protect themselves against the fallout," Kelley says.
ID Theft Monitoring
To date, OPM has offered 18 months of identity theft monitoring services to the 4 million federal workers and contractors that began receiving breach-notification alerts on June 4, telling them that their personal information was exposed.
But the government has yet to make any similar moves for what security experts have been saying are the likely tens of millions more whose personal information may have been stolen. Beyond that, anyone named as a family member, partner or acquaintance in the SB-86 background forms - which federal employees and contractors must submit when requesting or renewing a security clearance - may also have had their personal information compromised.
Sen. Benjamin Cardin, D-Md., announced July 8 that he will introduce legislation that extends the identity theft services being offered to exposed federal workers to more than 18 months. "Senator Cardin has committed to introducing legislation that would better protect all individuals affected by the OPM data breach," says the senator's spokeswoman, Sue Walitsky, The Washington Post reports. "The details are still being hammered out, but his bill would extend coverage and increase loss limits."
But NTEU reports that, to date, its members have been facing difficulties related to enrolling in the identity-theft monitoring program that the government has commissioned from CSID in Austin, Texas. "They report being unable to reach operators on the toll-free phone line and say that the CSID website frequently crashes or freezes up and rejects assigned personal identification numbers and passwords," the union says.