The United States Office of Personnel Management (OPM) has just released the latest details from their ongoing investigation into the attacks against their systems. Today’s announcement represents a significant escalation in the number of people affected and the risk victims face. Everyone who works or has worked for the federal government as an employee or contractor should take immediate action to protect themselves.
OPM is reporting that “sensitive information” for 21.5 million people was stolen. This impacts 19.7 million current, former and prospective federal employees and contractors who underwent background checks since 2000. It also affects 1.8 million people who didn’t undergo clearance checks but were related or associated with those who had, such as spouses, domestic partners, etc.
The list of “sensitive information” that has been compromised includes:
- Social Security Numbers
- Residency and educational history
- Employment history
- Information about immediate family, other personal and business acquaintances
- Health, criminal and financial history
- Usernames and passwords applicants used to complete background investigation forms
OPM notes that some records also include findings from background interviews conducted by investigators as part of the clearance process. Also, approximately 1.1 million people’s fingerprints were lost.
All of this represents highly sensitive personal information that can be used to facilitate identity theft. In addition, the information found in investigators’ findings could be used for blackmail, extortion or other nefarious purposes.
It’s important to understand that this data loss is separate but related to the one affecting 4.2 million current and former federal employees. This loss is much more serious in terms of the scope of information and volume. There is overlap as well — people can potentially be victimized by both data loss events.
The federal government promises three years of aggressive credit and identity theft monitoring and protection to victims. Anyone eligible should take advantage of this as soon as possible.
The investigations into both events will continue, meaning there could be more victims identified. And unfortunately, it could be found to be worse than originally thought.
The call-to-action is clear. If you work or have worked for the United States federal government as an employee or contractor, you should take immediate action and assume the worst until you obtain credible information to the contrary. Initiate credit and identity theft monitoring now and diligently look for signs of identity theft or fraud. Be on the lookout for phishing or voice phishing attacks that are typically associated when this sort of information is released.
Finally, utilizing modern security software on all your computers and devices is critical as well to help protect against attacks trying to use this information.
Please add your thoughts in the comments below or follow me on Twitter; @ChristopherBudd.