OPM Comes Clean: Dual Breaches Exposed 22.1 Million Individuals

The Office of Personnel Management has finally revealed the total number of current and former US officials and their friends and family affected by two major data breaches thought to have been carried out by China.

In an update released yesterday, the OPM claimed that highly sensitive background-check data on 21.5 million individuals had been stolen in a breach discovered in early June.

This is in addition to the previously disclosed breach of 4.2 million records discovered in April. However, because there’s some duplication, the total number affected is thought to be 22.1 million people.

The statement had the following:

“OPM and the interagency incident response team have concluded with high confidence that sensitive information, including the Social Security Numbers (SSNs) of 21.5 million individuals, was stolen from the background investigation databases. This includes 19.7 million individuals that applied for a background investigation, and 1.8 million non-applicants, primarily spouses or co-habitants of applicants. Some records also include findings from interviews conducted by background investigators and approximately 1.1 million include fingerprints. Usernames and passwords that background investigation applicants used to fill out their background investigation forms were also stolen.”

The OPM admitted the background investigation data included highly sensitive information on individuals’ mental health and financial history, although “health, financial, payroll and retirement records” are not thought to have been exposed.

The “background investigations” mentioned by the office include the SF-86 form which must be completed by those applying for security clearance for jobs in the military, intelligence services and other restricted roles.

As such, it will be hugely valuable to the attackers. If, indeed, a nation state was behind the raid then they now have a treasure trove of information with which to blackmail, coerce and intimidate US personnel – and possibly even to recruit spies, experts have suggested.

The other breach, significant in its own right, involved the exposure of full name, birth date, home address and Social Security numbers. These could be used to make follow-up spear-phishing attacks on Federal employees more effective.

The OPM concluded rather optimistically:

“At this time, there is no information to suggest misuse of the information that was stolen from OPM's systems. We are continuing to investigate and monitor the situation.”

What’s Hot on Infosecurity Magazine?