What is the “OPM hack”?
The “OPM hack” refers to a massive data breach in which hackers, believed to be based in China, acquired personnel records of federal employees from the Office of Personnel Management (OPM).
What is the OPM?
The OPM (Office of Personnel Management) serves as the human resource department for the federal government. Among other duties the agency conducts background investigations for prospective employees, issues security clearances, and compiles records of all federal government employees.
How many records were stolen?
The OPM said that 4 million employees, both current and past employees, have been affected. But the American Federation of Government Employees, the union for federal employees, claimed Thursday that all federal employees and retirees, as well as one million former federal employees, had their personal information stolen. (UPDATE (7/10/15): The OPM has announced the records of 21.5 million Americans were stolen.)
The exact amount of data stolen, however, may be unknowable since, according to one U.S. official, “OPM officials and other authorities still don’t have a good handle on how much information was actually stored by OPM in the first place.”
What type of records were stolen?
Some of the records stolen were the Questionnaire for National Security Positions form, known as the SF-86 form. The 126-page form contains a plethora of information about an individual, including their Social Security number, birthdate, addresses, passport information, financial information, previous employment activities, connections to foreign nationals, etc.
When did the data breach occur?
The OPM, which publicly acknowledged the hack this week, says the agency identified a cybersecurity incident” two months ago affecting its information technology (IT) systems and data. But according to ABC News, the hackers had access to the government databases for more than a year before they were detected.
How could the data be used?
As Kim Zetter and Andy Greenberg of Wired explain, federal background checks are meant to suss out information that might be used by foreign enemies to blackmail a government staffer into turning over classified information.
Ken Ammon, chief strategy officer for a cyber security firm, told the BBC the hacked data could be used to impersonate or blackmail federal employees with access to sensitive information.
And as former counterintelligence officer John R. Schindler says,
Whoever now holds OPM’s records possesses something like the Holy Grail from a [counterintelligence] perspective. They can target Americans in their database for recruitment or influence. After all, they know their vices, every last one — the gambling habit, the inability to pay bills on time, the spats with former spouses, the taste for something sexual on the side (perhaps with someone of a different gender than your normal partner) — since all that is recorded in security clearance paperwork.
Do you have friends in foreign countries, perhaps lovers past and present? They know all about them. That embarrassing dispute with your neighbor over hedges that nearly got you arrested? They know about that too. Your college drug habit? Yes, that too. Even what your friends and neighbors said about you to investigators, highly personal and revealing stuff, that’s in the other side’s possession now.
What does the government plan to do about the data breach?
The OPM will be offering identity theft monitoring for those who have been affected. According to an OPM press release:
In order to mitigate the risk of fraud and identity theft, OPM is offering credit report access, credit monitoring and identify theft insurance and recovery services to potentially affected individuals through CSID®, a company that specializes in these services. This comprehensive, 18-month membership includes credit monitoring and $1 million in identity theft protection services at no cost to enrollees.
Additionally, the U.S. government is preparing to order the first round of sanctions against foreign entities or individuals involved in hacking, in what will be the first test of the government’s newest tool in cyber deterrence.