What Do You Need to Know About the OPM Data Breaches?

By on July 9, 2015 in Agency News, Human Resources with 16 Comments

Image of hacker in hood

Updated: 7/10/2015 12:54 PM

The Office of Personnel Management announced Thursday that the personal data of many more individuals had been stolen in the second of two recent data breaches that hit the agency’s servers.

News about the breaches has been coming in waves since they were first publicly announced in June, and the volume of information combined with conflicting reports means it can get confusing.

Here are some of the key points federal employees will want to know based on the currently available information.

How many breaches were there and how many people were impacted?

Two breaches hit OPM’s servers. The first was reported publicly in June by OPM and affected the personal data of 4.2 million current and former federal employees. OPM said this figure has not changed since it was first announced.

The second was discovered shortly thereafter while OPM was investigating the first breach. It is the larger one of the two. While different reports citing various sources swirled for weeks about how many individuals were affected by this breach, it wasn’t formally announced by OPM until July 9 that 21.5 million individuals’ personal data were stolen.

Collectively between both breaches, the total number of people potentially impacted is nearly 26 million.

What types of personal data were compromised?

The first breach impacted personal data of current and former federal employees such as full name, birth date, home address and Social Security Numbers.

The second breach, however, impacted different types of data. It affected background investigation records of current, former, and prospective Federal employees and contractors. The types of information in these records include identification details such as Social Security Numbers; residency and educational history; employment history; information about immediate family and other personal and business acquaintances; health, criminal and financial history; and other details. Some records also include findings from interviews conducted by background investigators and fingerprints. Usernames and passwords that background investigation applicants used to fill out their background investigation forms were also stolen.

Does this include spouses?

Spouses of federal workers are also potentially affected by the second breach. Included in the 21.5 million figure are 19.7 million individuals that applied for a background investigation and 1.8 million non-applicants, primarily spouses or co-habitants of applicants.

For a detailed breakdown of the impacted data in breach number two, be sure to see our post Personal Data of 21.5 Million Individuals Stolen in Second OPM Data Breach.

What is OPM doing to help you?

For the 4.2 million individuals affected by the first breach, OPM is providing free credit monitoring services for 18 months through CSID, a private company. Notices such as this one were sent out to these individuals with details and instructions on signing up for this service.

For the 21.5 million people affected by the second breach, OPM and DoD are providing a suite of credit monitoring services for up to three years at no charge. This will be administered by a private sector company to provide services such as:

  • Full service identity restoration support and victim recovery assistance
  • Identity theft insurance
  • Identity monitoring for minor children
  • Continuous credit monitoring
  • Fraud monitoring services beyond credit files

In the coming weeks, OPM will begin sending notification packages to these 21.5 million individuals which will provide details on the incident and information on how to access these services. This will include spouses or other individuals whose Social Security numbers were compromised. This protection is not being extended to individuals whose name, address, date of birth, or other similar information may have been listed on a background investigation form (and therefore exposed), but whose Social Security Numbers were not compromised as this is not considered high risk information by OPM. OPM has not said how long the process of contacting affected individuals will go on, but with 21.5 million people involved, do not be surprised if it takes a while for you to receive your notice.

What about free lifetime credit monitoring? At this point, this is just wishful thinking. Federal employee unions have said that OPM should provide lifetime credit monitoring (as well as many FedSmith.com users based on comments and emails we’ve received), but OPM’s current official statement declares the timeframes for the credit monitoring services outlined above.

There will undoubtedly be many unanswered questions from the victims, so OPM is also setting up a call center to help answer these. There is no date set for when it will be opened, but it is sometime in the “coming weeks.”

In the meantime, OPM has set up an online resource center at https://www.opm.gov/cybersecurity with details about the breaches as well as to direct individuals to materials, training, and useful information on best practices to secure data, protect against identity theft, and stay safe online.

Going forward, the Administration will work with Federal employee representatives and other stakeholders to develop a proposal for the types of credit and identity theft monitoring services that should be provided to all Federal employees in the future – regardless of whether they have been affected by this incident – to ensure their personal information is always protected.

Who did this?

Numerous reports have said that China is likely behind the attack, and the United States has identified China as the prime suspect, which China is naturally denying. However, the government still is not willing to officially pin the blame on the Chinese.

OPM’s director resigns over breaches

Image of OPM Director Katherine Archuleta

OPM Director Katherine Archuleta

A growing number of lawmakers were calling for OPM Director Katherine Archuleta to resign over the data breaches and on Friday, July 10, she officially tendered her resignation from the agency.

FedSmith.com users had overwhelmingly said in a recent poll that they think both Archuleta and her Chief Information Officer Donna Seymour need to step down (80% of respondents said Archuleta should resign and 88% said the same about Seymour).

The White House has defended Archuleta since the resignation calls began. White House spokesman Josh Earnest said in a press conference on June 17, “The president does have confidence that she [Archuleta] is the right person for the job.”

The White House has said it up until Archuleta’s announcement that it has no plans to change this position.

The above is a summary of what is currently known about the breaches, and FedSmith.com will continue to provide you with new information as it becomes available.

© 2016 Ian Smith. All rights reserved. This article may not be reproduced without express written consent from Ian Smith.


About the Author

Ian Smith is one of the co-founders of FedSmith.com. He enjoys writing about current topics that affect the federal workforce. Ian also has a background in web development and does the technical work for the FedSmith.com web site and its sibling sites.