Office of Personnel Management Director Katherine Archuleta quit today amid widespread criticism of her office’s handling of a massive data breach that exposed the personal records of more than 22 million people.
Members of Congress had been calling for Archuleta's resignation since June, when the OPM, which handles security clearances for government employees and contractors, admitted that for the second time in a year, hackers had managed to breach their own security and steal data on up to four million current or former holders of security clearances.
Those four million people in June were presumably in addition to the five million federal employees whose data had been compromised when hackers breached the OPM the previous July.
But in a statement released yesterday, the OPM admitted that the extent of the breach was vastly greater than originally believed:
The team has now concluded with high confidence that sensitive information, including the Social Security Numbers (SSNs) of 21.5 million individuals, was stolen from the background investigation databases. This includes 19.7 million individuals that applied for a background investigation, and 1.8 million non-applicants, predominantly spouses or co-habitants of applicants. As noted above, some records also include findings from interviews conducted by background investigators and approximately 1.1 million include fingerprints.
That innocuous statement about “findings from interviews” presumably includes a lot of blackmail-worthy information, though no further details have been provided. OPM says that the data of anyone who applied for a security clearance since 2000 (or the spouse or roommate of any such person) is probably at risk. Even pre-2000 data is not guaranteed safe, though it's far less likely that the hackers have it.
Possible connections to China
Security investigators familiar with the case say the evidence suggests the hackers had backing from the Chinese government – though China's government has consistently denied having any role in the attacks, and pointed out that hacking is illegal under Chinese law.
The OPM hackers aren't the only ones suspected of having Chinese connections. The same hackers are also believed to be behind:
last November's breach of the United States Postal Service database (800,000 USPS employees' records compromised, and possibly information about USPS customers as well);
last February's breach of Anthem health insurance company (80 million current and former customers compromised, many of whom work for the federal government or various defense contractors);
last March's breach of Premera Blue Cross (11 million records compromised); and
last May's breach of CareFirst Blue Cross/Blue Shield (“only” 1.1 million that time, but they're mostly residents of D.C. or its suburbs which, like the Anthem breach, means a large percentage of them probably worked for the federal government in some capacity).
Credit and identity monitoring services
On Thursday, when the OPM announced the newly discovered extent of the breach, it also said it would provide credit and identity monitoring services for affected individuals. The OPM also established what it calls an “online incident resource center” as a clearinghouse for information about the breach, and said that “We will begin to notify people affected by the background investigation incident in the coming weeks. At that time, you will be auto-enrolled in some services and will need to take action to enroll in others.”
In fine print at the bottom of the page, the OPM also said that you can email firstname.lastname@example.org with any questions, or call 866-740-7153 for an “automated message on the incidents.” As of press time, that automated message doesn't offer any information you can't find more readily on the OPM's “incident resource center” – if you want generalized information about the breach information, clicking this link is a better bet than calling the number.