UPDATE: OPM said that 3.6 million of the 4.2 million people affected by the first breach were also in the casualty count of the second breach, so the total should be around 22 million instead of 25 million. However, they added 1.8 million fingerprints to the mix.
OPM said that notifications for the second breach will begin going out soon and will include what to tell family members, who are collateral damage of those people who had security clearances.
The OPM has upped what they are offering people who’s information was compromised to include credit monitoring for at least 3 years, full service identity restoration and victim recovery, identity theft insurance, identity monitoring for minor children and other services.
Finally, the OPM did admit that the interviewer’s notes were also compromised.
The government has also set up a web site – https://www.opm.gov/cybersecurity with information about the breach.
CNN is reporting that the numbers for the second OPM breach announced last month are now up to a bit over 21 million. This includes 19.7 million SF-86s (security clearance applications) and 1.8 million “non-applicants” – mostly spouses and partners. This is in addition to the 4 million affected individuals from the first breach.
That means we are at about a total of 25 million. This does not include the people who were used as references, friends, neighbors and supervisors in those SF-86s, because the only information collected about them is name, address, phone number and email address.
I don’t think that anyone is convinced at this point that this is the end of it and the number will not continue to grow.
Congress of course, is going crazy blaming everyone – except the Congressional oversight committees. Congress had warnings about this problem at least as far back as 2009 and chose to do nothing about it.
I do think that Director Archuletta and CIO Seymour are short timers and that is probably appropriate. Washington is a strange place. Political appointees do not have the freedom to keep yelling fire, even if they see flames – but they do get blamed when the fire burns the place down. It is a hazard of the job.
The real test now is what Congress does do. Even if they claim that they WERE asleep at the wheel for the last 6 years, they know now and need to keep the pressure on. Only time will tell.
Also, while OPM offered credit monitoring to the first 4 million victims, as of today, they have not offered anything to the next 21+ million.
One challenge the government has to deal with and which there is no easy way to get around is the fact that negative information on 20 million security clearance holders is in the wild and that information can be used to blackmail those people. In addition, depending on what happens to that data, it COULD affect those people’s ability to keep and get a job in the future. The government isn’t talking about how they plan to deal with that.
Finally, for covert ops folks (CIA), if the hackers can match up clearance data with operatives in the field, it could risk their safety. I assume the agency is working on damage control about that. Supposedly, the CIA keeps their files separate, but if the person came from another agency to the CIA then their names will be in the pile of breached SF-86s.
Information for this post came from CNN.