OPM Breach Hits 22 Million People, Director Resigns
Two separate breaches exposed highly sensitive information, including Social Security numbers and fingerprints.
Katherine Archuleta, the director of the Office of Personnel Management (OPM), resigned on Friday, July 10, 2015, after announcing that recent breaches at the OPM had exposed more than 22 million people's personal information, The New York Times reports.
"I conveyed to the President that I believe it is best for me to step aside and allow new leadership to step in, enabling the agency to move beyond the current challenges and allowing the employees at OPM to continue their important work," Archuleta said in a statement.
Beth Cobert, deputy director of management of the Office of Management and Budget, is expected to replace Archuleta temporarily until a permanent replacement is found.
White House spokesman Josh Earnest said Archuleta had resigned "of her own volition," but that President Obama did believe new leadership was needed. "She recognizes, as the White House does, that the urgent challenges currently facing the Office of Personnel Management require a manager with a specialized set of skills and experiences," he said.
In a statement, the OPM explained that two separate breaches impacted a total of 22.1 million people. In the first breach, the personal information of 4.2 million current and former federal employees was exposed. In the second breach, the Social Security numbers and other sensitive data of 21.5 million people were exposed, including 19.7 million people who applied for a background check, and 1.8 million spouses or co-habitants of applicants. Approximately 1.1 million of the files include fingerprints.
"If an individual underwent a background investigation through OPM in 2000 or afterwards (which occurs through the submission of forms SF 86, SF 85, or SF 85P for a new investigation or periodic reinvestigation), it is highly likely that the individual is impacted by this cyber breach," the OPM stated. "If an individual underwent a background investigation prior to 2000, that individual still may be impacted, but it is less likely."
FBI director James B. Comey told The Washington Post that he believes the hackers have obtained his SF 86. "If you have my SF 86, you know every place I’ve lived since I was 18, contact people at those addresses, neighbors at those addresses, all of my family, every place I’ve traveled outside the United States," he said. "Just imagine if you were a foreign intelligence service and you had that data."
STEALTHbits strategy and research officer Jonathan Sander told eSecurity Planet by email that the theft of that kind of data can have a significant impact. "When people are recovering passwords they’ve forgotten, they are asked for personal information only they know," he said. "Things like obscure items from their credit history or family details. That data is has been stolen from OPM."
"Everyone in the security industry knows we need new ways to lock down our digital lives, but those warnings go unheeded," Sander added. "Now that the bad guys have everything they need to completely hijack the digital lives of some people of direct interest to the government, maybe someone will start paying attention."
Photo courtesy of Shutterstock.