Things went from bad to worse at the Office of Personnel Management (OPM) on Thursday with the announcement that hackers stole the Social Security numbers and personal information of 21 million people in a massive cyber hack. This news comes on top of last month’s revelation that 4.2 million current and former federal employees had their data compromised. The two attacks are “separate but related” according to an official statement released by OPM.
The larger, more recent breach includes the records of anyone who underwent a background investigation through OPM since 2000. FBI Director James Comey described the hack as “enormous.” It could, in fact, be the largest breach of U.S. government personnel information in history. Under significant pressure, OPM Director Katherine Archuleta resigned on Friday.
While the details of the breach are still being released, there are a few important facts that we already know:
- The data breach is centered on the background investigation records of federal employees and applicants. During the hiring process, prospective employees usually must complete form SF-86 or similar documents. The 127-page form SF-86 is the standard questionnaire for any national security position. It includes information such as the applicant’s address, Social Security number, employment history, finances, and medical information.
- The breach dates from May 2014, but it was not discovered until earlier this year. Of the 21.5 million records, 19.7 million belong to individuals who were hired or applied to work in the government. The other 1.8 million belong to family members and relations.
- Though it has been reported that over a million fingerprint scans were compromised, officials believe that annuity rolls and retirement records were not touched.
As a result of this massive cyber hack, there are several security risks going forward:
- People whose information has been compromised are obviously vulnerable to identity theft. While OPM is hiring a contractor to provide identity protection services, millions of Social Security numbers are now in the hands of hackers with likely ties to the Chinese government.
- The data breach represents a treasure trove of information about drug and alcohol use, psychological counseling, and emotional stability for all individuals. Millions of data points are also available on family members and personal finances. Enemies could use this sensitive information for espionage purposes to directly coerce U.S. citizens or to search for weaknesses that could be manipulated under the right circumstances.
- It should also be noted that many foreign nationals had their information compromised in this data breach, potentially putting them at risk if their government retaliates against them. If an applicant listed a relative who lives overseas, then that connection was also exposed to the hackers.
The implications of the breach are severe, both in terms of personnel privacy and our national security. It’s clear that the U.S. government must do more to secure its data, but this incident also demonstrates that the government does not have all the answers. Any solutions on cybersecurity should involve true public-private cooperation, rather than top-down government mandates.
Jocelyn Lamb and Ryan Spaude are currently members of the Young Leaders Program at The Heritage Foundation. For more information on interning at Heritage, please click here.