DoD News, Defense Media Activity
WASHINGTON, July 10, 2015 – U.S. Office of Personnel
Management officials yesterday announced the results of the interagency
forensics investigation into a recent cyber incident involving federal
background investigation data and the steps it is taking to protect those
affected.
In late May, as a result of ongoing efforts to secure its
systems, OPM discovered an incident affecting background investigation records
of current, former and prospective federal employees and contractors, officials
said.
The forensics investigation determined that the types of
information in these records include identification details such as Social
Security numbers; residency and educational history; employment history;
information about immediate family and other personal and business
acquaintances; health, criminal and financial history; and other details.
Some records also include findings from interviews conducted
by background investigators and fingerprints. Usernames and passwords that
background investigation applicants used to fill out their background
investigation forms also were stolen.
21.5 Million Social Security Numbers Stolen
Since learning of the incident affecting background
investigation records, OPM and the interagency incident response team concluded
that sensitive information, including the Social Security numbers of 21.5
million individuals, was stolen from the background investigation databases.
This includes 19.7 million people who applied for a background investigation,
and 1.8 million non-applicants, predominantly spouses or cohabitants of
applicants, officials said.
There is no information at this time to suggest any misuse
or further dissemination of the information that was stolen from OPM’s systems,
they added.
“While background investigation records do contain some
information regarding mental health and financial history provided by those
that have applied for a security clearance and by individuals contacted during
the background investigation, there is no evidence that separate systems that
store information regarding the health, financial, payroll and retirement
records of federal personnel were impacted by this incident,” OPM officials
said in a news release.
Separate From Previous Incident
This incident is separate, but related to, a previous
incident discovered in April affecting personnel data for current and former
federal employees officials said. OPM and its interagency partners concluded
“with a high degree of confidence” that personnel data for 4.2 million
individuals had been stolen, officials said.
“This number has not changed since it was announced by OPM
in early June, and OPM has worked to notify all of these individuals and ensure
that they are provided with the appropriate support and tools to protect their
personal information,” the news release says.
Assistance for Those Affected
To protect those affected, OPM is providing a comprehensive
suite of monitoring and protection services for background investigation
applicants and non-applicants whose Social Security numbers or other sensitive
information were stolen.
For the 21.5 million background investigation applicants,
spouses or cohabitants with Social Security numbers and other sensitive
information that was stolen from OPM databases, OPM and the Defense Department
will work with a private-sector firm specializing in credit and identity theft
monitoring to provide services tailored to address potential risks created by
this particular incident for at least three years, at no charge.
Notification Packages
In the coming weeks, OPM will begin to send notification
packages to these individuals, which will provide details on the incident and
information on how to access these services. OPM also will provide educational
materials and guidance to help them prevent identity theft, better secure their
personal and work-related data, and become more generally informed about cyber
threats and other risks presented by malicious actors.
Other individuals whose name, address, date of birth, or
other similar information may have been listed on a background investigation
form, but whose Social Security numbers are not included, could include
immediate family members or other close contacts of the applicant.
In many cases, the information about these individuals is
the same as information generally available in public forums, such as online
directories or social media, and therefore the compromise of this information
generally does not present the same level of risk of identity theft or other
issues, officials said.
The notification package that will be sent to background
investigation applicants will include detailed information that applicants can
provide to people they may have listed on a background investigation form. This
information will explain the types of data that may have been included on the
form, best practices they can exercise to protect themselves, and the resources
publicly available to address questions or concerns, officials said.
New Resources
Today, OPM launched a new, online incident resource center
at https://www.opm.gov/cybersecurity to offer information regarding the OPM
incidents as well as direct individuals to materials, training, and useful
information on best practices to secure data, protect against identity theft,
and stay safe online.
This resource site will be regularly updated with the most
recent information about both the personnel records and background
investigation incidents, responses to frequently asked questions, and tools
that can help guard against emerging cyber threats, officials said. A call
center will follow in the weeks to come, they added.
In June, OPM identified 15 new steps to improve security,
leverage outside expertise, modernize its systems and ensure internal
accountability in its cyber practices.
This includes completing deployment of two-factor “strong
authentication” for all users, expanding continuous monitoring of its systems,
and hiring a new cybersecurity advisor.
More details are available in the OPM news release, linked
below.
Posts
No comments:
Post a Comment