US Office of Personnel Management Data Hack Raises More Questions than Answers

Multiple data breaches of OPM records has federal employees wondering just what might happen to their personal information, what actions they can take to protect themselves, and what policymakers will do to ensure this never happens again.

The agency is facing a major management upheaval following the resignation of its director, Katherine Archuleta, on July 10. She will be replaced by Office of Management and Budget Deputy Director Beth Cobert, who will serve as OPM’s acting director until a permanent replacement is appointed.

The hacked data, which the hack some analysts believe stemmed in China, contained sensitive federal background check information on more than 20 million Americans who have direct and indirect ties to the federal government, including roughly 4 million past and current federal workers.

Initially, those numbers were reported to be much lower. But investigations show that the data breach affected at least 20 million Americans and potentially more. Their personal and financial information is now in the hands of hackers who could have free range to do whatever they want with the data including selling it on the black market.

The hackers may have obtained Social Security numbers, job assignments, performance ratings, training information, healthcare records, fingerprints, and lengthy, potentially embarrassing, answers to invasive questions on background checks.

According to The Washington Post, “OPM officials declined to comment on whether payroll data was exposed other than to say that no direct-deposit information was compromised. They could not say for certain what data was taken, only what the hackers gained access to.”

The breach has caused a firestorm of controversy in Washington over the competency of OPM records management and raised questions about the integrity of data security at other federal agencies.

The White House has ordered agencies to monitor and scrutinize their cyber security measures to expose any potential holes that hackers could worm their way through in search of data and to enact measures to mitigate potential cyber vulnerabilities and future data breaches.

Several hearings have already been held about the OPM breach and several more are planned. The Defense Department, in particular, is highly concerned about the extent of sensitive data that hackers have obtained.

“The breach affected security clearance applicants and nearly 2 million spouses and partners,” according to the Military Times. OPM appeared to have known about the issue for some time, but did not publicly reveal it or act on fixing the vulnerabilities when they were identified in an OPM inspector general’s investigation.

Government Executive published an extensive timeline of the data breaches on their website.

Several measures and proposals are in the works to protect affected federal workers, some of whom, however, may have not yet been informed that their sensitive information was hacked.

The White House is “working diligently” to specifically ID whose data was stolen, according to Government Executive.

OPM announced earlier this month that they would extend credit and identity theft monitoring services to all federal employees. And for individuals directly affected by the hacks, OPM will eventually provide “a comprehensive suite of monitoring and protection services for background investigation applicants and non-applicants whose Social Security Numbers, and in many cases other sensitive information, were stolen.”

Those services will be offered for free for three years and include “include full-service identity restoration support and victim recovery assistance, identity theft insurance, identity monitoring for minor children, continuous credit monitoring and fraud monitoring services beyond credit files,” according to Federal Soup.

OPM also created a website that offers resources to federal workers concerned about data breaches. The website provides resources for federal workers to check whether they may have been affected and checklists to monitor whether their data is being used illegally. They also reference another government website that offers tips on strengthening personal computer security.

Four U.S. Senators — Sen. Ben Cardin (D-Maryland), Sen. Barbara Mikulski (D-Maryland), Sen. Mark Warner (D-Virginia), and Sen. Tim Kaine (D-Virginia ) — also introduced a bill called the RECOVER Act (Reducing the Effects of the Cyberattack on OPM Victims Emergency Response Act of 2015).

That bill would force OPM to offer comprehensive identity protection to federal workers and contractors, as well as at least $5 million in identity theft insurance.

“Private-sector cyberhacks and cyberattacks have become too commonplace, but when the federal government’s own computer system shows its vulnerabilities to the world, we have a responsibility to protect the people who have been put at risk,” U.S. Sen. Cardin said in a statement. “Off-the-shelf solutions are not good enough. We need to plug the holes in the federal network and make sure our workers, their families and all those who have been violated are held harmless from any damage that may be done.”

“The announcement that OPM’s data breach compromised the personal data of 21.5 million federal employees, retirees and their families is as outrageous and unacceptable as it is devastating,” said U.S. Sen. Mikulski in a statement. “Each week OPM has come out with a new story with new facts. This erodes confidence going forward that the federal government will be able to protect federal employees whose personal data – social security numbers, dates of birth, fingerprints – has been stolen. I demand answers and assurances for them. And I demand a far more robust action plan for their protection. That’s what this bill is about.”

The full text of their proposed legislation can be reviewed at this link.