The Office of Personnel Management announced Thursday that the second of two recent hacks compromised the information of 21.5 million people, exposing sensitive data that was drawn from background checks conducted by the government.
In a press release, OPM said its investigation into the breach found that sensitive information, including the Social Security numbers of those 21.5 million individuals, was stolen from the background investigation databases. That includes 19.7 million individuals that applied for a background investigation, and 1.8 million non-applicants, predominantly spouses or co-habitants of applicants.
OPM also said that some of those records include approximately 1.1 million biometric fingerprints.
This breach goes beyond another hack the agency announced last month that compromised more than 4 million current and former federal employees. In an email to FedScoop, OPM said 3.6 million people were affected by both hacks, and, in all, 22.1 million people were impacted by the hacks.
Among the information that was stolen from OPM includes residency and educational history, employment history; information about immediate family and other personal and business acquaintances and health, criminal and financial history, along with usernames and passwords that background investigation applicants used to fill out their background investigation forms.
OPM doesn’t believe that separate systems in which some information taken from background checks, including mental health and financial history, was compromised as a result of this breach.
The agency said anyone who underwent a background investigation through OPM from 2000 and beyond is highly likely to be affected. The government is offering three years of credit monitoring and identity theft insurance for anyone who has had his or her information compromised.
The agency also released a guide that will keep people updated on how OPM is its response and what the agency is doing to upgrade its cybersecurity defenses.
Shortly after the OPM announcement, the White House announced a number of cybersecurity measures it has put into place, including some preliminary results from its 30-day cybersecurity sprint.
Since announcing the effort, the White House said multifactor authentication has improved by 20 percent, with some agencies now requiring multifactor authentication for all privileged users.
Also, the Department of Homeland Security has scanned more than 40,000 systems for critical vulnerabilities, patching flaws as they’ve been found. DHS also has accelerated adoption of Einstein 3A, the intrusion prevention system used to guard civilian agencies. Einstein 3A now covers 15 federal civilian executive branch departments and agencies, a 20 percent increase over the past nine months. DHS now expects to award a contract to provide Einstein 3A for all federal civilian agencies by the end of 2015.
Almost instantly after the news was announced, lawmakers continued their calls for OPM Director Katherine Archuleta to resign.
“As I’ve said since June 16, after the Oversight Committee held the first hearing on this disastrous data breach, Director Archuleta and CIO Donna Seymour need to resign or be removed,” said Rep. Jason Chaffetz, R-Utah, in a statement. “Since at least 2007, OPM leadership has been on notice about the vulnerabilities to its network and cybersecurity policies and practices. Director Archuleta and Ms. Seymour consciously ignored the warnings and failed to correct these weaknesses. Their negligence has now put the personal and sensitive information of 21.5 million Americans into the hands of our adversaries. Such incompetence is inexcusable.”
Despite those resignation requests, Archuleta has no plans to resign. When asked during a phone call with press if she or Seymour would resign, Archuleta replied “No,” praising the work OPM staffers have done in seemingly boosting the agency’s cybersecurity stance.
“It’s because the efforts of OPM and its staff that we’ve been able to identify the breaches,” Archuleta said.
Rep. Will Hurd, R-Texas, called it “outrageous” that no one has been has been held accountable for the breaches. In a phone call with FedScoop, he called for Archuleta to step down.
“One hundred percent, I think she should resign,” Hurd said. “And to be frank, I think President Obama should ask for her resignation. The fact that over 21 million people’s information has been hacked and this is the largest breach in the federal government’s history, I think that would lead people to believe that she hasn’t done her job protecting the information that she has been entrusted with.”
Archuleta and OPM may not have security data to protect from future breaches. Shortly after the OPM announcement, Rep. Ted Lieu, R-Calif., and Rep. Steve Russell, R-Okla., announced they were working on legislation to move background checks out of OPM’s scope of responsibility.
“In hindsight, it was a mistake to move the security clearance system to OPM in 2004. We need to correct that mistake,” Lieu said in a statement. “Every American affected by the OPM security clearance breach deserves and demands a new way forward in protecting their most private information and advancing the vital security interests of the United States.”
“OPM has proven they are not up to the task of safeguarding our information, a responsibility that allows for no error,” Russell said in the same statement. “I look forward to working with Congressman Lieu on accountability and reform of this grave problem.”