The OPM has admitted that the 4 million record number is way low, the number is likely around 14 million and the SF-86 data, which OPM initially said was not compromised, was, in fact, hacked.
In a statement to Bloomberg News on Friday, agency spokesperson Samuel Schumach (see article) said
Investigators have “a high degree of confidence that OPM systems containing information related to the background investigations of current, former, and prospective federal government employees, and those for whom a federal background investigation was conducted, may have been exfiltrated,”
If true, what this means is that if you have applied for a security clearance with the government since the 1980s, your data may be in the hands of the Chinese government. It would appear that whether the clearance was granted or not or is active or not – in any of these cases – your data may be compromised.
I do think that OPM is having problems figuring out how long the hackers were inside, what they took and where it went. Assuming their systems are the twisted ball of baling wire and chewing gum that I suspect they are, we may never know the whole story.
The problem, if they did get the SF-86s as it appears that they did, is the nature of the data in the forms. Depending on the level of clearance, there are also interviews with you, references, neighbors, business associates and former neighbors. It is certainly possible that this data was also compromised. If so, the 14 million number will start to look very small.
While the CIA and other intelligence agencies keep their records separate, IF an agent was in the military or at a defense contractor, their data may be part of the disclosure.
If you completed an SF-86 you are required to disclose information such as arrests, prior drug use and other very sensitive information which could make these people targets of blackmailers and could have a very negative impact on people’s job, families and personal safety.
Giving someone who had this type of information compromised 18 months of credit monitoring will not help very much. And, since it is almost impossible to sue the government, people really have very little recourse unless Congress decides to act.
I guess we will keep hearing more about this – I do not think this is over yet.