The Office of Personnel Management has released the following list of frequently asked questions covering important information related to the cyber breach reported last week that impacted the personal information of as many as 4 million current and former federal workers:
Within the last year, the Office of Personnel Management (OPM) has undertaken an aggressive effort to update its cybersecurity posture, adding numerous tools and capabilities to its various networks. As a result, in April 2015, OPM became aware of a cybersecurity intrusion affecting its information technology (IT) systems and data.
Since the incident was identified, OPM has partnered with the U.S. Department of Homeland Security U.S. Cyber Incident Response Team (US-CERT), and the Federal Bureau of Investigation to determine the impact current and former to Federal personnel. OPM immediately implemented additional security measures and will continue to improve the security for the sensitive information it manages. The FBI has opened an investigation in order to identify and hold accountable the person(s) responsible for this incident.
OPM will send notifications to approximately 4 million individuals whose PII may have been compromised. Since the investigation is on-going, additional PII exposures may come to light; in that case, OPM will conduct additional notifications as necessary. In order to mitigate the risk of fraud and identity theft, OPM will offer credit report access, credit monitoring and identify theft insurance and recovery services at no cost to them, through CSID®, a company that specializes in identity theft protection and fraud resolution.
Were these employees OPM employees or employees from across the executive branch? Was the legislative or judicial branch impacted by this intrusion?
OPM services the Federal workforce so the affected population includes Executive Branch agencies and employees.
Were members of the military affected by the breach?
This incident did not affect military records. No contractors were affected unless they previously held Federal civilian positions. The incident affected current and former Federal civilian personnel, including Department of Defense civilian employees.
Have the police been notified? If so, with which police department and what is the case number?
Since the incident was identified, OPM has partnered with the U.S. Department of Homeland Security’s Computer Emergency Readiness Team (US-CERT), and the Federal Bureau of Investigation (FBI) to determine the full impact to Federal personnel and investigate the intrusion. Federal law enforcement continues to investigate the matter and assist with remediation efforts. OPM immediately implemented additional security measures and will continue to improve security for the sensitive information it manages.
When did this happen?
The intrusion occurred in December 2014. OPM became aware of the intrusion into its systems in April 2015 after implementing tough new measures to deter and detect cyberattacks. During its investigation with its agency partners, the FBI and US-CERT, OPM became aware of potentially compromised data in May 2015.
What systems were affected?
For security reasons, OPM cannot publicly discuss specifics of the systems that might be affected by the compromise of personnel data. Additionally, due to the ongoing investigation, it would be inappropriate to publicly provide information that may impact current work by law enforcement. OPM has added additional security controls to better protect overall networks and systems and the data they store and process.
What personal information was compromised?
OPM maintains personnel records for the Federal workforce. The kind of data that may have been compromised in this incident could include name, Social Security Number, date and place of birth, and current and former addresses. It is the type of information you would typically find in a personnel file, such as job assignments, training records, and benefit selection decisions, but not the names of family members or beneficiaries and not information contained in actual policies. The notifications to potentially affected individuals will state exactly what information may have been compromised.
How many people are involved?
Approximately 4 million current and former Federal employees.
Why didn’t OPM tell affected individuals about the loss of the data sooner?
OPM became aware of the intrusion in April 2015. OPM worked with US-CERT as quickly as possible to assess the extent of the malicious activity and to identify the records that may have been compromised. During the investigation, OPM became aware of potentially compromised data in May 2015. As with any such event, it takes time to conduct a thorough investigation and to identify the affected individuals.
It is important to note that this is an ongoing investigation that could reveal additional exposure; if that occurs, OPM will conduct additional notifications as necessary. Protecting the integrity of the information entrusted to OPM is the agency’s highest priority.
What is OPM doing to prevent this kind of loss from happening again?
Because cyber threats are evolving and pervasive, OPM is continuously working to identify and mitigate threats when they occur. OPM evaluates its IT security protocols on a continuous basis to make sure that sensitive data is protected to the greatest extent possible, across all networks where OPM data resides—including those managed by government partners and contractors.
Has the information been misused?
At this time, we have no evidence that there has been any use or attempted use of the information compromised in this incident. This is an ongoing investigation and OPM will continue to be vigilant to ensure that necessary security measures are in place to further strengthen and protect our networks, systems, and data.
I did not receive a letter stating that my information was compromised, but feel that I should have. Can you help me?
OPM is aware of the affected data and the networks and the data on which it resides. OPM will begin sending notifications to individuals whose PII may have been compromised on June 8, 2015. These notifications will take place on a rolling basis through June 19, 2015. The email will come from