One in 14 Americans may have just lost tons of their personal information — everything from their Social Security Number and birthdates to notes on their finances, relationships and even sexual proclivities — to hackers in a massive cyber breach, a federal agency said Thursday.
Hackers have made off with confidential data belonging to 22 million people who work, formerly worked or have applied to work for the federal government, costing a top agency official her job and exposing troves of sensitive data stored by the Office of Personnel Management (OPM), which serves as a sort of human resources for federal workers.
Here’s a breakdown of the biggest questions — including what you should know about the attack, who is affected and what it means for you.
Which databases were hit?
While OPM has declined to say exactly which systems were affected, an agency filing in the Federal Register reveals two likely targets: the Enterprise Human Resources Integration (EHRI) system, which contains personnel data for current and former government employees, and the Electronic Questionnaires for Investigations Processing (e-QIP) database, which gathers data from federal job candidates when they apply for background checks online.
How many records were stolen?
OPM said records belonging to 22.1 million people were taken, including records belonging to 4.2 million current and former employees and e-QIP records for 21.5 million people, including 19.7 million people who have applied for background checks since 2000 (and possibly earlier) and 1.8 million of their associates, such as spouses. (3.6 million people were affected by both breaches).
What was in those records?
OPM says the stolen data includes basic personal information, such as names, Social Security numbers and birthdates. According to the agency’s Guide to Personnel Recordkeeping, stolen EHRI records could also include personnel file data, such as job applications, disciplinary histories, benefits records, some medical records and records related to alcohol or drug abuse counseling or treatment.
Data stolen from the e-QIP database would go even further. Experts have pointed out that the e-QIP database contains a breadth of very personal information. That’s because it collects data from three forms — SF-86, SF-85 and SF-85P — that federal agencies use to vet job candidates for security clearances or to renew current employees’ existing clearances.
What’s on these forms?
” It’s basically your whole life story It’s basically your whole life story,” Chris Eng, vice president of research at Veracode and a former engineer at the National Security Agency, told Mashable.
People who apply for federal jobs (both directly with the government and even through private contractors or subcontractors) must volunteer a large amount of personal information — including where they’ve lived and worked, psychological and medical histories, relationships with any foreign nationals and information about their criminal or financial histories. The government, in turn, uses that to vet an applicant’s eligibility for necessary security clearances.
“The idea,” Eng said, “is figuring out — for somebody applying for a sensitive position — is there anything in their life or in their experience that would make them more subject to coercion? Is there anything that could be used for blackmail? Is there anything that could make them unstable? Does their financial situation make them more susceptible to bribes?”
So, that’s all, right?
Nope. In addition to basic personal data and information from the three security clearance forms, OPM said the stolen data also included “findings from interviews conducted by background investigators” and 1.1 million records that contained individuals’ fingerprints.
Eng added that an investigator’s “findings” will be unique to each applicant and some candidates, depending on the agency and job they’re applying to, may have thicker files than others. That’s because in addition to a standard, initial interview, some agencies will conduct additional interviews (and even lie-detector tests) with applicants and their associates, including family members and employers.
Those interviews can even examine a candidate’s sexual behavior to determine whether he or she is eligible for a security clearance.
“The question for me is, ‘Does all of that get packaged up and stored at OPM?'” Eng said.
The agency hasn’t clarified. But even if it doesn’t, losing control of the SF-86 and initial background interview data “is absolutely damaging enough,” Eng added.
“All the information that you might use to blackmail somebody or coerce somebody is gonna be in there.”
Who’s behind this?
While the government hasn’t pointed the finger yet, some media reports have said state-sponsored hackers in China are the culprits.
China has denied any involvement, but whoever is responsible may now be sitting on a trove of very valuable data.
“It’s hard to put a price tag on it,” “It’s hard to put a price tag on it,” said Mark Krotoski, a former prosecutor in the Justice Department’s computer hacking and intellectual property program. “From a national security perspective, the more you know about a particular individual creates the potential for vulnerabilities.”
This particular hack’s unprecedented scope means the hackers could now have “highly sensitive and personal information” on high-value targets that would otherwise have required “many years of surveillance and collection,” Krotoski said.
Should I be worried?
Probably. OPM says anyone who underwent a background check through the agency since 2000 “is highly likely” to be a victim of the breach. Even some individuals who underwent background checks before 2000 may be affected, “but it is less likely,” OPM said.
Is there anything I do?
Not much, for now. OPM says there’s no evidence the stolen data has been misused — yet. But victims should change the passwords to their online accounts, especially if they re-used any of those passwords for e-QIP. (OPM said usernames and passwords used to access e-QIP were also stolen.)
If you think your data was stolen, keep an eye on your mailbox. For victims of the EHRI hack, the agency has begun notifying people whose information was compromised and will offer “all potentially affected individuals” with a “complimentary” credit-monitoring service and $1 million of identity theft insurance for 18 months.
The agency also says anyone who applied for a background check through the agency after 2000 is “highly likely” to be affected by the e-QIP attack and has vowed to provide free credit and identity theft monitoring to them for a period of at least 3 years. Those individuals should expect a notice in the coming weeks.
In the meantime, OPM said it has also established a “cybersecurity incident resource center” and will set up a hotline for victims seeking more information.