Hackers stole sensitive information on 21.5 million people in a recently disclosed cyber-attack that breached the Federal government’s database of security background checks, Politico’s David Perera has reported.
MeriTalk yesterday said the Office of Personnel Management (OPM) was preparing to disclose details of the new hack this week.
OPM has previously said 4.2 million current and former Federal government employees’ personal data was stolen in a massive breach disclosed on June 4.
Since OPM began notifying victims of the first breach, officials acknowledged the second breach but declined to state the number of affected individuals until today.
It turns out the second hack was much worse than the first – and worse than expected. FBI Director James Comey told Senators last week that the second breach may have compromised 18 million individual identities, according to U.S. officials briefed on the matter, CNN reported.
“The 18 million refers to a preliminary, unverified, and approximate number of unique social security numbers in the background investigation data,” OPM Director Katherine Archuleta testified during a June 24 House Oversight and Government Reform Committee hearing. “It is not a number that I feel comfortable, at this time, represents the total number of affected individuals.”
Federal workers already are being targeted by a new phishing scam that uses emails stolen in the hack. The U.S. Computer Emergency Readiness Team (US-CERT) began warning Feds on June 30 about the scam, which tries to lure people to fake sites pretending to have important information about the OPM breach. The only official government website for information on the breach is opm.csid.com, according to US-CERT.
OPM has hired government contractor Winvale and identity-theft-protection specialist CSID to offer 18 months of protection to anyone whose identity was compromised in the OPM breaches. To date, 500,000 people have enrolled in the protection service, reports the Wall Street Journal’s Damian Paletta.
Paletta also reports that CSID has scanned the Internet but has not found stolen OPM records for sale.
OPM is seeking $37 million to migrate legacy IT systems to improve security in the fiscal year starting October 1, Perera reported. OPM has said its legacy systems are partly responsible for weaknesses in its cyber security.