The Office of Personnel Management (OPM) revealed on Thursday the second cyberattack intrusion compromised sensitive information on 21.5 million individuals.
The stolen information includes background investigation records of current, former, and prospective federal employees and contractors as well as sensitive information of some relatives of applicants.
“OPM and the interagency incident response team have concluded with high confidence that sensitive information, including the social security numbers (SSNs) of 21.5 million individuals, was stolen from the background investigation databases,” an OPM statement said.
This includes 19.7 million people who applied for a background investigation and 1.8 million non-applicants, primarily souses or co-habitants of applicants.
While investigating a cyber intrusion into the agency that compromised the records of 4.2 million current and former federal employees, the government detected this second intrusion, affecting background investigations (Defense Daily, June 17).
Some of the stolen records include findings from interviews conducted by background investigators, with about 1.1 million containing fingerprints. Usernames and passwords that applicants used to fill out their background investigation forms were also stolen, OPM said.
OPM highlighted that notifications for the intrusion have not yet begun. It also said that although the background investigations contain some information about mental health and financial history provided by applicants and people contacted in an investigation, there is no evidence that health, financial, payroll, and retirement records of federal personnel or those who have applied for a federal job were impacted by this incident.
The agency notice explained that if an individual underwent a background investigation through OPM from 2000 or later (using SF-86, SF-85, or SF-85P forms) it is highly likely they are impacted by the incident. Those investigated before 2000 may still be impacted, but it is less likely.
OPM said those affected by this second hack will be provided with a set of services similar to those provided in the original personal data incident within several weeks. A notice via mail will provide details on the incident and services available at no cost for at least three years. This includes full service identity restoration support and victim recovery assistance, identity theft insurance, identity monitoring for minor children, continuous credit monitoring and fraud monitoring services beyond credit files.
Immediate family, close contacts and references of current and former federal employees, contractors and job candidates whose information was stolen will also be provided further undescribed services. OPM noted that beyond applicants and their spouses/co-habitants as described, these other persons may have had their name, address, date of birth or other similar information listed on a background investigation form. The agency said in many cases this kind of information is already publicly available and does not present the same level of identity theft risk.