With the government’s announcement Thursday that 21.5 million people were affected by a major hack of government systems containing security clearance information, we’re beginning to get a clearer picture of perhaps the most consequential cyber intrusion in U.S. government history.
The Obama administration initially disclosed in June that a database containing personnel information of 4.2 million employees had been compromised. But it has taken the Office of Personnel Management weeks to calculate the breadth and impact of the second hack of security clearance data. That breach compromised the sensitive records of not just federal employees and contractors but also their families and friends.
There’s much about the hack and the government’s response that officials are still not disclosing. In the meantime, here is what we know:
So how many were affected?
The numbers are a bit confusing. The 21.5 million figure includes 19.7 million individuals who applied for a background investigation, and 1.8 million other people, including spouses or people who live with the applicants.
That does not include the 4.2 million employees affected by the first hack of employment data.
About 3.6 million people have information contained in both the employment and background investigation databases, officials said.
How will I know if I should worry?
If you underwent a background check investigation run through OPM in 2000 or afterwards it is “highly likely” your personal information was compromised, according to OPM. Specifically, that means people who submitted Standard Forms 86, SF 85, or SF 85P for either a new investigation or a periodic review in that time frame were probably swept up in the breach.
But OPM also notes that people who underwent background investigations before 2000 may still be affected.
What personal information was stolen?
OPM has determined that the files taken included Social Security numbers; residency and educational history; employment history; information about immediate family and other personal and business acquaintances; health, criminal and financial history and other details.
Some records also contain details from interviews conducted by background investigators and fingerprints. And the hackers also gained access to usernames and passwords that background investigation applicants used to fill out the forms required by the government.
Is this sort of information different from what we’ve seen in other hacks?
Yes, the data stolen in this hack is much more personal. The string of cyberattacks that hit major retailers in recent years primarily exposed financial data such as credit card numbers or contact information, including a customer’s physical address. And while breaches of healthcare providers such as Anthem have exposed Social Security numbers and in some cases medical data, those intrusions didn’t include the person’s fingerprint and other details of their personal life.
Is there any information the hackers didn’t get?
Background investigations include information about an applicant’s mental health and finances, and some of it may have been compromised. But OPM said that much of it is stored in separate systems from the ones that were hacked.
What about the 4.2 million employees whose employment data was hacked in the earlier intrusion OPM announced in June? Is that number accurate?
While media reports in recent weeks had suggested that the number of people affected by the employment data hack would grow from 4.2 million, OPM officials reiterated Thursday that it has not changed.
What can I do to protect myself?
OPM says it plans to notify the people affected by the security clearance breach “in the coming weeks.” The agency says it will hire a contractor to provide identity theft insurance and credit monitoring for “at least three years.” That’s more than the 18 months of protection currently being offered by CSID, a contractor providing similar services for victims of the breach of employment data.
OPM also says it will set up a call center to respond to questions, but didn’t offer any specifics on when. In the meantime, there’s a Web site where people who are concerned they were affected can go for answers, but not about their specific case: https://www.opm.gov/cybersecurity.
Will the same contractor handle the response to both breaches?
That’s unclear for now. CSID was widely criticized by employees and members of Congress for poor customer service in the initial weeks after the hack of employment data was disclosed.
Will I be protected in the long term?
Federal employee unions are pushing the government to offer lifetime credit monitoring, but so far that seems unlikely.
However, OPM officials said the Obama administration is considering offering some form of credit monitoring and identity theft protection to all federal employees in the future, whether they were affected by these intrusions or not.
But the details, including for how long such extra protection would last, are still unclear.
How does this breach rank in terms of scale?
This isn’t the biggest breach we’ve ever seen. The breach of Target and Anthem affected many more people. But 21.5 million is still a big number and employees could be forced to deal with the consequences for some time.