NEWS ANALYSIS: The Office of Personnel Management may have suffered more breaches and lost more information than it previously acknowledged.
The news about the data breach at the U.S. Office of Personnel Management keeps getting worse by the day. How much worse? On June 12, the Associated Press reported that the number of personnel records that may have been pilfered in a stealthy cyber-attack is as high as 14 million.
Meanwhile, The Washington Post is reporting that a great deal more information than just basic name, address and Social Security number details were taken and that, in fact, the database that was breached contained something called the SF (Standard Form) 86, which is a 127-page form that each person who is being considered for a security clearance must submit.
This form is far more detailed than you’d expect for most job positions. In fact, when I submitted my form SF-86, I was required to submit details on every job I’d ever held, no matter how brief or how minor.
I was also required to report on every place I’d ever lived, every place outside the United States where I’d ever traveled, my personal information, ranging from hair color and race to my height and weight. The level of detail was astonishing. But it’s required of anyone who ever had a security clearance. Because I was an officer in the Navy, of course, I had such a clearance.
While I haven’t been notified that my information was taken, OPM on June 15 started to send out notices to those whose data was breached. Each person will get a letter, or in some cases an email, letting them know that this happened and offering a year and a half of credit monitoring and a million dollars of identity theft insurance.
On June 14, OPM spokesperson Samuel Schumach said that OPM had discovered what it called a “separate intrusion” into OPM’s systems that revealed the details of background investigations into former, current and prospective federal employees and others for which an investigation was required. This would include a vast number of government contractors.
But just in case you thought that things couldn’t get worse, a Manassas, Va., security company, CyTech Services may have quietly played a role in determining how the massive breach into OPM took place.
The Wall Street Journal is reporting that this small company visited OPM in April to demonstrate its security software and, in the process, found malware running on several computers inside the agency. CyTech reports that the company remained on-site for several days to assist the FBI and other agencies in the investigation.
In addition to finding that the malware that played a role in siphoning information to whomever breached OPM was still there and still at work, the investigation now indicates that the breach started much earlier than December 2014 and, in fact, may have begun more than a year before that.