WASHINGTON, D.C. — U.S. Office of Personnel Management officials on July 9 announced the results of the interagency forensics investigation into a recent cyber incident involving federal background investigation data and the steps it is taking to protect those affected.
In late May, as a result of ongoing efforts to secure its systems, OPM discovered an incident affecting background investigation records of current, former and prospective federal employees and contractors, officials said.
The forensics investigation determined that the types of information in these records include identification details such as Social Security numbers; residency and educational history; employment history; information about immediate family and other personal and business acquaintances; health, criminal and financial history; and other details.
Some records also include findings from interviews conducted by background investigators and fingerprints. User names and passwords that background investigation applicants used to fill out their background investigation forms also were stolen.
Since learning of the incident affecting background investigation records, OPM and the interagency incident response team concluded that sensitive information, including the Social Security numbers of 21.5 million individuals, was stolen from the background investigation databases. This includes 19.7 million people who applied for a background investigation, and 1.8 million non-applicants, predominantly spouses or cohabitants of applicants, officials said.
There is no information at this time to suggest any misuse or further dissemination of the information that was stolen from OPM’s systems, they added.
“While background investigation records do contain some information regarding mental health and financial history provided by those that have applied for a security clearance and by individuals contacted during the background investigation, there is no evidence that separate systems that store information regarding the health, financial, payroll and retirement records of federal personnel were impacted by this incident,” OPM officials said in a news release.
This incident is separate, but related to, a previous incident discovered in April affecting personnel data for current and former federal employees officials said. OPM and its interagency partners concluded “with a high degree of confidence” that personnel data for 4.2 million individuals had been stolen, officials said.
“This number has not changed since it was announced by OPM in early June, and OPM has worked to notify all of these individuals and ensure that they are provided with the appropriate support and tools to protect their personal information,” the news release says.
To protect those affected, OPM is providing a comprehensive suite of monitoring and protection services for background investigation applicants and non-applicants whose Social Security numbers or other sensitive information were stolen.
For the 21.5 million background investigation applicants, spouses or cohabitants with Social Security numbers and other sensitive information that was stolen from OPM databases, OPM and the Defense Department will work with a private-sector firm specializing in credit and identity theft monitoring to provide services tailored to address potential risks created by this particular incident for at least three years, at no charge.
In the coming weeks, OPM will begin to send notification packages to these individuals, which will provide details on the incident and information on how to access these services. OPM also will provide educational materials and guidance to help them prevent identity theft, better secure their personal and work-related data, and become more generally informed about cyber threats and other risks presented by malicious actors.
Other individuals whose name, address, date of birth, or other similar information may have been listed on a background investigation form, but whose Social Security numbers are not included, could include immediate family members or other close contacts of the applicant.
In many cases, the information about these individuals is the same as information generally available in public forums, such as online directories or social media, and therefore the compromise of this information generally does not present the same level of risk of identity theft or other issues, officials said.
The notification package that will be sent to background investigation applicants will include detailed information that applicants can provide to people they may have listed on a background investigation form. This information will explain the types of data that may have been included on the form, best practices they can exercise to protect themselves, and the resources publicly available to address questions or concerns, officials said.
On July 10, OPM launched a new, online incident resource center atwww.opm.gov/cybersecurity to offer information regarding the OPM incidents as well as direct individuals to materials, training, and useful information on best practices to secure data, protect against identity theft, and stay safe online.
This resource site will be regularly updated with the most recent information about both the personnel records and background investigation incidents, responses to frequently asked questions, and tools that can help guard against emerging cyber threats, officials said. A call center will follow in the weeks to come, they added.
In June, OPM identified 15 new steps to improve security, leverage outside expertise, modernize its systems and ensure internal accountability in its cyber practices.
This includes completing deployment of two-factor “strong authentication” for all users, expanding continuous monitoring of its systems, and hiring a new cybersecurity advisor.