Personal Data of 21.5 Million Individuals Stolen in Second OPM Data Breach

The Office of Personnel Management said today that the personal data of 21.5 million individuals were compromised in the second of two data breaches that hit the agency’s servers.

The Office of Personnel Management said today that the personal data of 21.5 million individuals were compromised in the second of two data breaches that hit the agency’s servers.

This is in addition to the 4.2 million current and former federal employees that OPM said were impacted by the breaches and Social Security Numbers were affected. This number has not changed since it was announced by OPM in early June and you should have already received a notification if you were impacted.

  • While investigating this incident, in early June 2015, OPM discovered that additional information had been compromised: including background investigation records of current, former, and prospective Federal employees and contractors. OPM and the interagency incident response team have concluded with high confidence that sensitive information, including the Social Security Numbers (SSNs) of 21.5 million individuals, was stolen from the background investigation databases. This includes 19.7 million individuals that applied for a background investigation, and 1.8 million non-applicants, primarily spouses or co-habitants of applicants. Some records also include findings from interviews conducted by background investigators and approximately 1.1 million include fingerprints. Usernames and passwords that background investigation applicants used to fill out their background investigation forms were also stolen. Notifications for this incident have not yet begun. While background investigation records do contain some information regarding mental health and financial history provided by applicants and people contacted during the background investigation, there is no evidence that health, financial, payroll and retirement records of Federal personnel or those who have applied for a Federal job were impacted by this incident (for example, annuity rolls, retirement records, USA JOBS, Employee Express).

If you underwent a background investigation through OPM in 2000 or afterward (which occurs through the submission of forms SF-86 (PDF file) [6.98 MB], SF-85 (PDF file) [354.59 KB], or SF-85P (PDF file) [513.33 KB] for either a new investigation or a reinvestigation), it is highly likely that you are impacted by the incident involving background investigations. If you underwent a background investigation prior to 2000, you still may be impacted, but it is less likely.

Information for federal employees

OPM has provided the following information for current and former federal employees:

  • If you are a current or former Federal government employee, including members of the U.S. military, you may have been impacted by the incident affecting background investigation records. You may also have been impacted by the separate incident involving personnel data.
    • Types of information involved in the background investigation records incident that may have been impacted:
      • Social Security Numbers
      • Residency and educational history
      • Employment history
      • Information about immediate family and personal and business acquaintances
      • Health, criminal and financial history that would have been part of your background investigation

      Some records could also include:

      • Findings from interviews conducted by background investigators
      • Fingerprints.
      • Usernames and passwords used to fill out your forms.

      Some records also include findings from interviews conducted by background investigators and approximately 1.1 million include fingerprints. Usernames and passwords that background investigation applicants used to fill out their background investigation forms were also stolen.

      If you may have used your e-QIP (the online system used to process forms) password for other accounts or services, you should change your passwords for those accounts immediately and not reuse any passwords that you used in the e-QIP system.

    • Types of information involved in personnel data incident include:
      • Name
      • Social Security number
      • Date and place of birth
      • Current and former addresses
      • Common personnel file information such as job assignments, training records, and benefit selection decisions

    Protections available to you:

    1. We have sent notifications to those affected by the incident involving personnel data. We are offering free identity theft monitoring and restoration services. If you were affected by this incident, you have been sent a notice that includes information about the free services available to you for 18 months. As part of this service, you are automatically enrolled in:
      • Full service identity restoration, which helps to repair your identity following fraudulent activity;
      • Identity theft insurance, which can help to reimburse you for certain expenses incurred if your identity is stolen.

      Instructions on how to enroll in other services were included in your notification.

    2. For those affected by the background investigation incident, we will be providing you with a similar suite of comprehensive services in the coming weeks. You will receive a notice in the mail providing details on the incident and the services available to you at no cost for at least three years such as:
      • Full-service identity restoration support and victim recovery assistance
      • Identity theft insurance
      • Identity monitoring for minor children
      • Continuous credit monitoring
      • Fraud monitoring services beyond credit files

      This notification will also include detailed information that you can provide to other individuals you may have listed on your form. This information will explain the types of data that may have been included on the form, best practices they can exercise to protect themselves, and the resources publicly available to address questions or concerns.

      Your department or agency may reach out with additional information specific to you.

Spouses of current and former federal employees

OPM has provided the following information for spouses that may be impacted:

Social security numbers of the spouses and co-habitants of applicants were stolen as a result of the background investigation record incident.

Protections available to you:

For those affected by the background investigation incident, we will be providing you with a similar suite of comprehensive services in the coming weeks. You will receive a notice in the mail providing details on the incident and the services available to you at no cost for at least three years such as:

  • Full service identity restoration support and victim recovery assistance
  • Identity theft insurance
  • Identity monitoring for minor children
  • Continuous credit monitoring
  • Fraud monitoring services beyond credit files

More information

OPM has also provided the following general information about the data breaches:

What you can do

At this time, there is no information to suggest misuse of the information that was stolen from OPM’s systems. We are continuing to investigate and monitor the situation. We will begin to notify people affected by the background investigation incident in the coming weeks. At that time, you will be auto-enrolled in some services and will need to take action to enroll in others.

What we are doing to help

  • We have sent notifications to those affected by the incident involving personnel data. We are offering free identity theft monitoring and restoration services. If you were affected by this incident, you have been sent a notice that includes information about the free services available to you for 18 months. As part of this service, you are automatically enrolled in:
    • Full service identity restoration, which helps to repair your identity following fraudulent activity;
    • Identity theft insurance, which can help to reimburse you for certain expenses incurred if your identity is stolen.

    Instructions on how to enroll in other services were included in your notification.

    For those affected by the background investigation incident, we will be providing you with a suite of comprehensive services in the coming weeks. You will receive a notice in the mail providing details on the incident and the services available to you such as:

    • Full service identity restoration support and victim recovery assistance
    • Identity theft insurance
    • Identity monitoring for minor children
    • Continuous credit monitoring
    • Fraud monitoring services beyond credit files

    For those who have questions. In the coming weeks, a call center will be opened to respond to questions and provide more information. If you are affected, you will not be able to receive personalized information until notifications begin and the call center is opened. OPM recognizes that it is important to be able to provide individual assistance to those that have questions, and will work with its partners to establish this call center as quickly as possible.

    Protecting all Federal employees. In the coming months, the Administration will work with Federal employee representatives and other stakeholders to develop a proposal for the types of credit and identity theft monitoring services that should be provided to all Federal employees in the future – regardless of whether they have been affected by this incident – to ensure their personal information is always protected.

For more information on the OPM data breaches, see our collection of posts.

About the Author

Ian Smith is one of the co-founders of FedSmith.com. He has over 20 years of combined experience in media and government services, having worked at two government contracting firms and an online news and web development company prior to his current role at FedSmith.