Hack of Federal Background Checks Found To be Bigger than thought

OPM Says Hack Exposed Millions More Family Members Than Previously Thought

House Oversight and Government Reform Committee member Rep. Mike Turner, R-Ohio holds up a security form as he asks questions during the committee's hearing on recent cyber attacks at OPM, Wednesday, June 24, 2015, on Capitol Hill.
June 27, 2016
Newly-disclosed stolen records include personal information of parents, siblings, other relatives, and close friends—but is not believed to include their Social Security numbers, the agency said.
A historic background check breach that the Office of Personnel Management had said impacted 21.5 million individuals also compromised potentially tens of millions of additional people, according to OPM’s website. 
Other family members and close contacts of those victims are “affected,” according to an updated OPM FAQ. Last summer, OPM announced attackers had opened files on 21.5 million national security personnel and their immediate dependents. 
Suspected Chinese cyberspies set their sights on forms submitted by Americans seeking clearance to handle classified information that, among other things, included details on their private lives.
The stolen data about the newly announced victims contains what is “generally available in public forums,” OPM officials say. The FAQ, which apparently was changed late Friday, does not quantify how many additional people are affected.
Receive daily email updates:
Subscribe to the Defense One daily.
Be the first to receive updates.

What knowledge might adversaries now possess about the larger group of individuals?
OPM officials, in explaining who else is a victim, state: “When you submitted your background investigation form, you likely provided the name, address, date of birth, or other similar information of close contacts. These individuals could include immediate family members, co-habitants, or other close contacts.”
Much of the information about the additional category of individuals already is visible in internet directories or social media, officials said.
Therefore, the compromise of this information generally does not present the same level of risk of identity theft or other issues,” they added.
This subset of hacked individuals will not be offered ID protection services.
The records filched include personal information of parents, siblings, other relatives, and close friends — but not their Social Security numbers, the OPM FAQ states. In addition, the files might document individuals that applicants know in foreign countries.
On Monday afternoon, OPM officials told Nextgov the agency clarified its cyber incident FAQ website, in response to questions received over the past year about the breach and the agency’s handling of the situation.
An agency official stressed that the number of people impacted whose Social Security Numbers were compromised remains the same: 21.5 million.
We haven’t changed the number of people impacted by these incidents, or our definition of impacted,” OPM spokesman Michael Amato said.
The agency could not provide an estimate on the number of people “affected” whose personal information was stolen. These affected individuals will not be notified, because their Social Security numbers were not exposed.
The website refresh was designed to streamline the content, make it more user friendly and to include all of the progress our cybersecurity team has made to secure our systems over the last year,” Amato said. “We have received a lot of feedback from impacted individuals and we updated the website to help better answer their questions.”
A security clearance expert said at least 43 million individuals could be affected, given the new information provided by OPM
If every one person whose data was hacked only had one relative (spouse or parent) on the form, that is 21.5 million right there,” said Cheri Cannon, who practices federal labor and employment law at Tully Rinckey. 
This population affected by the OPM hack should be more concerned about their personal security than their finances, said Cannon, who also is a former panel member of the Air Force Board for Correction of Military Records. 
It appears no financially sensitive information was hacked, so the issue would be an adversary using the data to acquire information from the applicant or employee, Cannon said. In other words, the personal information stolen from these other individuals could be “a source of potential blackmail or embarrassment for one or all of the listed folks,” she said.
  • Aliya Sternstein reports on cybersecurity and homeland security systems. She’s covered technology for more than a decade at such publications as National Journal’s Technology Daily, Federal Computer Week and Forbes. Before joining Government Executive, Sternstein covered agriculture and derivatives … Full bioE