Sensitive info of over 21.5M people, including SSNs and fingerprints, stolen in OPM hack

The US Office of Personnel Management (OPM) has revealed on Thursday the full extent of the information stolen in the two data breaches it suffered in 2014.

In the first breach, personnel data (name, birth date, address, SSNs) of 4.2 million current and former Federal government employees had been stolen. In the second one, the number of affected individuals is a staggering 21.5 million.

“While investigating this incident, in early June 2015, OPM discovered that additional information had been compromised: including background investigation records of current, former, and prospective Federal employees and contractors,” the OPM stated.

“OPM and the interagency incident response team have concluded with high confidence that sensitive information, including the Social Security Numbers (SSNs) of 21.5 million individuals, was stolen from the background investigation databases. This includes 19.7 million individuals that applied for a background investigation, and 1.8 million non-applicants, primarily spouses or co-habitants of applicants. Some records also include findings from interviews conducted by background investigators and approximately 1.1 million include fingerprints. Usernames and passwords that background investigation applicants used to fill out their background investigation forms were also stolen.”

“If you underwent a background investigation through OPM in 2000 or afterwards (which occurs through the submission of forms SF-86, SF-85, or SF-85P, for either a new investigation or a reinvestigation), it is highly likely that you are impacted by the incident involving background investigations,” they said. But even those who underwent background investigation before 2000 can’t consider their information safe: “You still may be impacted, but it is less likely.”

All in all, the attackers now know things like the affected individuals’ criminal history, education and employment history, their address, they have insight into the applicants’ character and conduct, personal information of their spouses, family, close friends, information about their drug use, and more.

“It is outrageous that the personal information of at least 21.5 million individuals has been compromised as a result of an extensive cyber-attack at the Office of Personnel Management (OPM). Despite knowing that its files contained highly sensitive personal data such as Social Security numbers, home addresses, dates of birth, and in some cases, extensive background information, OPM officials ignored repeated warnings from its own Inspector General about the vulnerability of its computer systems,” commented US Senator Susan Collins.

“It is also unacceptable that OPM officials for weeks maintained that only 4.2 million Americans were affected, disputing the FBI’s assertion that the real number was 18 million. Today, we finally learn from OPM that the accurate number is many times the 4.2 million and even higher than that initially estimated by the FBI. In the latest statement, OPM officials implausibly assert that ‘There is no information at this time to suggest any misuse or further dissemination of the information that was stolen from OPM’s systems.’ That incredible statement, which implies that the perpetrators of this lengthy and extensive attack have no intention of using the stolen data, suggests that OPM has yet to come to grips with the gravity of this cyber-attack.”

“The continuation of the OPM breach is sadly not that surprising, given the state of security across government systems. Our own research shows that government organizations fix only about 27 percent software vulnerabilities once they’re found. When you’re dealing with such sensitive information, this is very alarming,” says Chris Wysopal, CTO and CISO of Veracode.

“While we haven’t seen the personal information being used yet, this is to be expected. It’s rare that information that can be used for blackmail or as precursor information for phishing attacks would be seen being used. The types of attacks where we see the information used are typically criminals obtaining credit card numbers or banking information or personally identifiable information (PII) for financial fraud or hacktivists using the info to embarrass the victim. The lack of usage of information points to the sophistication of the attacker. It is either a nation state or a very sophisticated criminal attack which we haven’t seen exercised before.”

“This is bigger than Anthem and Premera,” stated Adam Levin, chairman and founder of IDT911. “This not only affects millions of federal employees, but their families as well. They become the collateral damage. Those affected are now exposed to identity theft, phishing schemes and possible extortion threats.”

“This is an egregious breach of the public trust. The way back from this will not be an easy one. We are not talking about changing a credit card number. There is no zero liability policy for someone whose Social Security Number and the intimate details of their private life is floating out there for any bad actor who wants to use it against them either financially or politically. This is life altering,” he pointed out.

“This is the time for heads to roll at OPM. Just as the victims, many whom have served and defended their country in good faith, are not facing a zero liability future, those who failed to serve and defend them should be treated with zero tolerance. Perhaps then someone will hopefully get the message and Washington will stop doing the Potomac 2-step and stand up for Americans.”