Second OPM hack sees 1.1M fingerprint records stolen
Office of Personnel Management officials have confirmed that a data breach involving security clearance files has impacted some 21.5 million individuals, which included the fingerprint records of 1.1 million people, according to a report by Defense One.
This marks the first major details regarding the hack since OPM first revealed the security breach last month.
OPM will provide a “suite of services” to any individual whose personal information was compromised, which includes nearly everyone who underwent an OPM-led background investigation or reinvestigation since 2000.
Officials also said that it is possible that some individuals who underwent a background investigation before 2000 may have been affected by the heck, but the chances are “less likely.”
The personal information breached in the hack included details such as Social Security numbers; residency and educational history; employment history; information about immediate family and other personal and business relationships; health, criminal and financial history; and other details, OPM said.
OPM also experienced a security breach in May that affected 4.2 current and former federal employees.
The second breach, which specifically targeted those individuals who underwent background investigations, was discovered in late May as OPM was boosting security levels for its system following its first hack.
Approximately 3.6 million of the individuals impacted by the first hack were also affected by the second breach.
Andy Ozment, assistant secretary for cybersecurity and communications at the Homeland Security Department, said the forensics investigation into the second breach was “extremely complicated”, which required extra time to find out exactly who was affected by it.
Of the 21.5 million affected individuals, 19.7 million had applied for a background investigation and 1.8 million were non-applicants, primarily spouses or co-habitants of applicants, said OPM.
Additionally, the breached records include details from interviews conducted by background investigators while 1.1 million of the records also included fingerprints.
OPM will notify the affected individuals “in the coming weeks”. They will be provided with at least three years worth of free services, including full service identity restoration support and victim recovery assistance, identity theft insurance, identity monitoring for minor children, continuing credit monitoring and fraud monitoring services beyond credit files, as well as “educational materials and guidance” so that they can better protect themselves against potential fraud.
“For these 21.5 million people, a lifetime’s worth of information was exposed,” said Richard Thissen, president of the National Active and Retired Federal Employees Association. “They deserve nothing less than a lifetime of protection. Three years is not enough and will not bring peace of mind to those awaiting official notification that they were impacted by this incident.”
Several Democratic senators Barbara Mikulski, Md., Tim Kaine, Va., Mark Warner, Va., and Ben Cardin, Md., formally introduced the Reducing the Effects of the Cyberattack on OPM Victims Emergency Response (RECOVER) Act.
The legislation would provide lifetime credit monitoring to all individuals affected by the hacks as well as up to $5 million in identity theft protection.
Though administration officials have declined to divulge any information regarding potential suspects who may have been responsible for the hack, they did confirm that the hacker committed both breaches.
Additionally, Archuleta and other officials highlighted the progress made by multiple government agencies to improve network security as part of an Office of Management and Budget mandated “30-day sprint,” including increasing the use of two-factor authentication.