Cybercriminals have stolen a staggering amount of information from government computers, a federal agency revealed Thursday. The total number of victims and the type of information gathered, taken together, make the hack historic.
While researching an attack that saw the compromise of 4.5 million federal workers’ data, the Office of Personal Management found a second incident that impacts 21.5 million people, both inside and outside of government. Criminals got away SSNs, passwords, and in some cases, fingerprints, the agency announced Thursday. Most federal workers since the year 2000 are at risk.
“This includes 19.7 million individuals that applied for a background investigation, and 1.8 million non-applicants, primarily spouses or co-habitants of applicants,” the federal agency says on its website. “Some records also include findings from interviews conducted by background investigators and approximately 1.1 million include fingerprints. Usernames and passwords that background investigation applicants used to fill out their background investigation forms were also stolen.”
The data stolen had been collected by the federal government, ironically, to complete background checks on potential and current employees.
“If you underwent a background investigation through OPM in 2000 or afterwards….it is highly likely that you are impacted by the incident involving background investigations. If you underwent a background investigation prior to 2000, you still may be impacted, but it is less likely,” the agency said.
Background checks can also include non-spouses used essentially for references. While those individuals also had their data stolen, they are at a much lower risk, OPM says.
“Beyond applicants and their spouses or co-habitants … you may be someone whose name, address, date of birth, or other similar information may have been listed on a background investigation form. In many cases, the information about these people is the same as what is generally available in public forums such as online directories or social media,” OPM says.
Federal workers will receive credit monitoring and other identity theft protection services, though the OPM says there is no evidence the data has been used for financial fraud. Numerous reports indicate that federal officials blame computer criminals working on behalf of the Chinese government for the attack. While there has been no official confirmation of that, and no evidence supplied, it’s easy to see how this treasure trove of data on federal workers — including fingerprints — would be useful in international espionage. Earlier this week, FBI Director James Comey said his own personal information had been compromised in the incident.
OPM urges workers to change their passwords and monitor their credit reports for signs of abuse. The agency will soon open a call center just to deal with questions about the incident.
“OPM continues to take aggressive action to strengthen its broader cyber defenses and information technology (IT) systems, in partnership with experts from DoD, DHS, FBI and other interagency partners,” the agency said.