Federal Data Breach Reportedly Affects An Additional 21 Million People

Remember when it was announced that more than four million federal employees in the country were part of a massive data breach last month? Well, turns out that was just one of two rather large data breaches to hit the Office of Personnel Management, with the newly announced second, larger hack affecting upwards of 21 million current and former employees, as well as prospective employees, their families and others who applied for federal background investigations in the last 15 years.

The Office of Personnel Management (OPM) – essentially, the HR/personnel department for the entire federal government – announced this afternoon that it had concluded “with high confidence” that sensitive information, including the Social Security numbers were stolen from the agency’s background investigation databases.

According to the agency, an investigation into the hack affecting about 4.2 million current and former employees of the federal government announced in June led to the discovery of the larger, more wide-reaching breach.

OPM says that if an individual underwent a background investigation in 2000 or after, it is “highly likely that the individual is impacted by this cyber breach. If an individual underwent a background investigation prior to 2000, that individual still may be impacted, but it is less likely.”

Of the 21.5 million individuals affected in the breach, 19.7 million simply applied for a background investigation, while about 1.8 million non-applicants – predominantly spouses and co-habitants of applicants –were victims of the breach, OMP says.

In some cases, compromised information includes interviews conducted by background investigators and approximately 1.1 million compromised profiles include fingerprints.

OPM says that information regarding mental health or financial histories provided by those that have applied for a security clearance and by individuals contacted during the background investigation were not affected by the breach.

There is no information at this time to suggest any misuse or further dissemination of the information that was stolen from OPM’s systems, the agency states.

In the coming weeks, OPM will begin sending notification packages to individuals who may be affected by the recent beach. Those packages will include educational materials and guidance to help individuals prevent identity theft, better secure their personal and work-related data, and become more generally informed about cyber threats and other risks presented by malicious actors.

The agency says that since it discovered the second breach in April, it has implemented “action to strengthen its broader cyber defenses and information technology systems.”

“Director Katherine Archuleta and the entire Office of Personnel Management are committed to protecting the safety and security of the information of Federal employees and contractors,” the agency says in a statement. “OPM is also committed to helping those that have been impacted by this incident, safeguarding its systems and data, and fulfilling its mission to serve Federal workers.”

OPM Announces Steps to Protect Federal Workers and Others From Cyber Threats [OPM]