Hacker

Update on OPM Data Breach

07/09/2015

Today NTEU received a briefing from OMB and OPM on the recent data breaches. The call provided some new information on the second data breach that affected background investigation information. While we were not told the number of people affected by the second breach, we have since learned the number is 21.5 million. We were told that sensitive information was stolen from forms SF 85’s and SF 86’s filled out by federal job applicants, employees and contractors. Social Security Numbers were stolen for the individual, as well as in some cases, the spouse or partner.  Individuals who filled out these forms since 2000 are likely affected, while those who may have filled them out previously, could be, but are less likely to be affected.

OPM is currently in the process of hiring another contractor to deal with those affected by the second breach and will not provide individual notifications until that process is complete.  In response to questions from NTEU, OMB would not provide a timeframe for notifications to those affected.  They did say that identity theft monitoring and fraud protection services will be more extensive for this group of individuals and will be in place for three (3) years with longer term benefits under consideration.  It will also be offered without cost to affected individuals, spouses or partners whose SSN’s were included in the forms and current minor children.  

OPM will be setting up an automated call center to answer general questions on the second breach until it has a contractor in place to deal with individual questions.  We will provide that as soon as it is available.  In addition, OPM has set up a website with general information on the breaches at: https://www.opm.gov/cybersecurity

NTEU continues to be outraged that so many of our members have had their personal information compromised due to these breaches. We will continue to pursue our lawsuit to provide lifetime credit monitoring and identity theft protection for our members and we will be supporting legislation to be introduced in the next few days by Senator Ben Cardin (MD) and Congresswoman Eleanor Holmes Norton (DC) that will also call for lifetime credit monitoring and identity theft protection for all affected individuals. In addition, we will continue to press OPM, OMB, Congress and the President to increase the protections and the level of service provided to those affected as well as to ensuring that this never happens again.

While NTEU has expressed to OPM and OMB our extreme dissatisfaction with the quality and quantity of information being provided to NTEU and to the individuals affected by the breaches, we will continue to provide to you whatever information they share.

Last week, NTEU met with OPM Director Archuleta and the Office of Management and Budget (OMB) concerning the data breaches. At that time, OPM provided a general status update regarding the June 4 reported breach of personnel records. The majority of e-mail and mailed notifications have occurred by the OPM-selected contractor CSID, though some notifications continue to affected individuals in cases where e-mail notifications were undeliverable or an earlier mailed letter was returned.

As of now, individuals can contact the CSID toll-free line (844-777-2743) to verify whether they were affected in the personnel records breach, and that individuals can fully enroll in the credit monitoring services with a CSID representative on the toll-free line. Individuals can also visit the CSID website to enroll in these services.

NTEU has consistently advocated for the ability for affected individuals to be able to fully enroll in these services on the toll-free line, versus being required to enroll via the CSID website. As a reminder, individuals who have not received a notification can contact the CSID toll-free line to verify whether or not they have had information compromised in the June 4 personnel records breach. Also, for residents of New York State, CSID is now providing the missing fraud protection insurance coverage that had not been in place earlier. NY-state required specific information is now being provided from CSID. OPM plans to update their FAQs soon with this information.   

Also at last week's meeting, the Director of OPM announced a third, separate incident. During the ongoing forensic investigations into the two earlier reported breaches, it has been determined that a system vulnerability exists with the E-QUIP system primarily used by OPM, agencies, and individuals to handle background investigation forms (Note: this is separate from the announced, actual breach into background investigations databases). While there is no evidence of an actual breach, but rather a possible IT vulnerability, the Director of OPM has now suspended the entire E-QUIP system, meaning that no new forms can be submitted either by new hires or by existing employees undergoing a periodic reinvestigation (PRI). At this time, OPM and OMB expect the system to remain down for a period of 4-6 weeks, while IT improvements are made. OPM Federal Investigative Services (FIS), that handles background investigations, is currently in the process of making needing personnel and work adjustments. Existing employees will continue to operate as normal with their current clearance level in place, and their PRI will occur once the system is back up and running.OPM and employing agencies are also currently considering various flexibilities to address the situation for new hires.  I will keep you posted on this situation going forward.   

As a reminder, OPM continues to update its Frequently Asked Questions (FAQs) on a rolling basis.

NTEU continues to call loudly for immediate blanket credit monitoring and identity theft protection coverage to be extended to those individuals whose information has been compromised in the background investigations breach, and who have yet to be notified. And, to make it clear that these services must be extended beyond the current 18 months now being offered as a result of the personnel records breach—and that they be provided to both affected employees and to their family members, particularly given the high-level of risk faced by these individuals.  NTEU is making sure that the Administration and Congress are fully aware of what you are experiencing, and what you need as we move forward.