Last month the Office of Personnel Management (OPM) announced that because of a cybersecurity breach, the records of 4 million citizens had been stolen by unknown hackers. Yesterday, the OPM released its official damage assessment, and it turns out the number is much, much larger: 21.5 million, or 1 in every 15 Americans.
Despite the colossal failure, OPM Director Katherine Archuleta told reporters she will not resign and won’t fire her chief information officer. In fact, the Obama Administration doesn’t seem to be holding anyone—other than the perpetrators—responsible for a leak that exposed even the records of the FBI Director James Comey. (UPDATE: Today, Archuleta decided that she will resign after all.)
“I’m sure the adversary has my SF-86 now,” said Comey. “My SF-86 lists every place I’ve ever lived since I was 18, every foreign travel I’ve ever taken, all of my family, their addresses. So it’s not just my identity that’s affected. I’ve got siblings. I’ve got five kids. All of that is in there.”
Here is what you need to know about what some have called the “cyber Pearl Harbor.”
What is the “OPM hack”?
The “OPM hack” refers to a massive data breach in which hackers, believed to be based in China, acquired personnel records of federal employees from the Office of Personnel Management (OPM).
What is the OPM?
The OPM (Office of Personnel Management) serves as the human resource department for the federal government. Among other duties the agency conducts background investigations for prospective employees, issues security clearances, and compiles records of all federal government employees.
How many records were stolen?
The OPM said that 21.5 million employees, both current and past employees, have been affected.
The exact amount of data stolen, however, may be unknowable since, according to one U.S. official, “OPM officials and other authorities still don’t have a good handle on how much information was actually stored by OPM in the first place.”
What type of records were stolen?
Some of the records stolen were the Questionnaire for National Security Positions form, known as the SF-86 form. The 126-page form contains a plethora of information about an individual, including their Social Security number, birthdate, addresses, passport information, financial information, previous employment activities, connections to foreign nationals, etc.
When did the data breach occur?
The OPM, which publicly acknowledged the hack this week, says the agency identified a cybersecurity incident” two months ago affecting its information technology (IT) systems and data. But according to ABC News, the hackers had access to the government databases for more than a year before they were detected.
How could the data be used?
As Kim Zetter and Andy Greenberg of Wired explain, federal background checks are meant to suss out information that might be used by foreign enemies to blackmail a government staffer into turning over classified information.
Ken Ammon, chief strategy officer for a cyber security firm, told the BBC the hacked data could be used to impersonate or blackmail federal employees with access to sensitive information.
And as former counterintelligence officer John R. Schindler says,
Whoever now holds OPM’s records possesses something like the Holy Grail from a [counterintelligence] perspective. They can target Americans in their database for recruitment or influence. After all, they know their vices, every last one — the gambling habit, the inability to pay bills on time, the spats with former spouses, the taste for something sexual on the side (perhaps with someone of a different gender than your normal partner) — since all that is recorded in security clearance paperwork.
Do you have friends in foreign countries, perhaps lovers past and present? They know all about them. That embarrassing dispute with your neighbor over hedges that nearly got you arrested? They know about that too. Your college drug habit? Yes, that too. Even what your friends and neighbors said about you to investigators, highly personal and revealing stuff, that’s in the other side’s possession now.
What does the government plan to do about the data breach?
The OPM will be offering identity theft monitoring for those who have been affected. According to an OPM press release:
In order to mitigate the risk of fraud and identity theft, OPM is offering credit report access, credit monitoring and identify theft insurance and recovery services to potentially affected individuals through CSID®, a company that specializes in these services. This comprehensive, 18-month membership includes credit monitoring and $1 million in identity theft protection services at no cost to enrollees.
Additionally, the U.S. government is preparing to order the first round of sanctions against foreign entities or individuals involved in hacking, in what will be the first test of the government’s newest tool in cyber deterrence.