Last Updated: 09 Dec 2015

Summary

On September 30, 2015, the U.S. Office of Personnel Management (OPM) began mailing notification letters to individuals impacted by the second cybersecurity incident. Those impacted include former and current military service members, civilian employees and contractors as well as their family members whose Social Security numbers may have been included on background investigation forms. It is expected that the notification process will take a considerable amount of time to complete due to the numbers of individuals impacted — about 21.6 million individuals have been impacted, to include the 5.6 million whose fingerprint records were stolen.

Since September 1, 2015, impacted individuals have been covered by identity theft insurance and identity restoration services. Additionally, OPM will provide additional services to impacted individuals that will be outlined in the notification letter. Individuals have the choice to enroll in the identify and credit monitoring services at no charge. Notification letters for the second cybersecurity incident will be sent by OPM via U.S. Postal Service mail — email will not be used.

OPM and Department of Defense (DoD) announced on September 1, that Identity Theft Guard Solutions LLC (doing business as ID Experts) was awarded the contract to provide identity theft protection and credit monitoring for the 21.5 million individuals impacted by the second incident. Services will be provided at no cost to the impacted individuals. ID Experts will provide all impacted individuals and their dependent minor children (under the age of 18 as of July 1, 2015) with credit monitoring, identity monitoring, identity theft insurance and identity restoration services for three years (ending December 31, 2018).

Incident #2 – Background

OPM announced on July 9, the details of a second cyber incident that involved background investigation information of current, former and prospective employees (civilian, military and contractor). The data system that was stolen included personal and sensitive information about the employees typically provided on the Standard Form (SF) 85, 85p and 86 to include Social Security numbers (SSNs), residency and educational history, health and medical information, employment history, marital status, foreign travels, information about children and other relatives as well as personal friends and business acquaintances, financial history, criminal and non-criminal court cases, and passport information. Some information may also include finding from interviews conducted by background investigators and fingerprints. Usernames and passwords that applicants submitted during the background investigation were also compromised.

OPM confirmed compromised records likely include the SSNs of 19.7 million people who applied for background investigations as well as 1.8 million non-applicants to include spouses or co-habitants of the applicants. Additionally, 5.6 million fingerprint records were compromised as part of Incident #2. According to OPM, individuals likely to be impacted underwent a background investigation through OPM in 2000 or afterwards; those undergoing an investigation prior to 2000 may be impacted but it is less likely. OPM does not have evidence that separate systems that store information regarding the health, financial, payroll and retirement records (such as annuity rolls, retirement records, USAJOBS, Employee Express) were impacted by the second incident.

Records for approximately 3.6 million people were included in both Incident 1 and 2.

Incident #1 – Background & Update

In April 2015, the Office of Personnel Management (OPM) became aware of a cybersecurity incident affecting its systems and data that may have compromised the personal information of current and former federal employees. (Incident #1) OPM estimates that 4.2 million employees were impacted by the first breach.

OPM began conducting notifications to affected individuals using email and/or USPS First Class mail on June 8, 2015. Recognizing the inherent security concerns in this methodology, with OPM and CSID support, DoD suspended notifications to employees on June 11, 2015, until an improved, more secure notification and response process is in place. Late June 15, 2015, OPM advised that email notification resumed.

Individuals impacted by Incident #1 have been offered 18 months of identity theft insurance and credit monitoring services through CSID – a company that specializes in identity theft protection and fraud resolution. The 18-month CSID membership is offered at no cost to those individuals identified by OPM.

In the course of the ongoing investigation into the first cyber intrusion that compromised personnel records of current and former federal employees (announced June 4), OPM discovered that additional OPM systems were compromised. These systems contain information related to background investigations.

• ~4.2 M current and former civilian employees impacted by a cybersecurity incident (December 2014)