And now, according to The Guardian (6/12/15), things appear to have gotten a lot worse with the revelation that a second hack has potentially more than tripled the number of victims.
CNBC reported June 4 that the initial hack involved the Office of Personnel Management (OPM) and the Interior Department - both federal agencies. It is thought that no sensitive government documents were affected or breached in any way, but rather the personal records of some four million individuals who work or have worked in those two departments. To that end, personally identifiable information, or PII, may have been compromised in the breach that is suspected to have originated in China.
Now it has been revealed that a second hack has occurred, this one targeting a centralized database and exposing the personal records of far more people, according to a report by The Associated Press (AP) appearing in The Guardian. J. David Cox, president of the American Federation of Government Employees, stated in a letter to OPM director Katherine Archuleta that based upon incomplete information provided by the OPM to the union, “we believe that the Central Personnel Data File (CPDF) was the targeted database, and that the hackers are now in possession of all personnel data for every federal employee, every federal retiree, and up to 1 million former federal employees.”
While the CPDF does not contain the records of Congressional members or their various staffs, members of the military, or intelligence agency staff, the database includes pretty much everyone else.
And the information the CPDF contains is far-reaching, given the information required and archived for the purposes of achieving security clearances. Up to 780 separate pieces of information about an employee can be parked and archived in that database. According to the union, the hackers would have had access to military records and veterans’ status information, address, birth date, job and pay history, health insurance, life insurance and pension information, and age, gender and race data.
Specifically, the data believed to have been accessed is tied to that contained in Standard Form 86, which requires security clearance applicants to outline deeply personal information pertaining to mental illnesses, drug and alcohol use, past arrests and bankruptcies. They also require the listing of contacts and relatives.
According to the AP report in The Guardian, the latest estimates place the number of hacked records as falling between nine million and 14 million and involve records dating back to the 1980s. Even those individuals no longer in the employ of the federal government are affected, as they represent the majority. With about 4.2 million people in the federal employment pool currently, the majority of hacked records relate to former employees of and contractors to the federal government, according to officials.
“We believe that social security numbers were not encrypted, a cybersecurity failure that is absolutely indefensible and outrageous,” Cox said in the letter to Archuleta of the OPM.The union referenced the breach as “an abysmal failure on the part of the agency to guard data that has been entrusted to it by the federal workforce.”
A spokesperson for the OPM, Samuel Schumach, told AP that while encryption “is a valuable protection method, today’s adversaries are sophisticated enough that encryption alone does not guarantee protection,” he said. “OPM does utilize encryption in some instances and is currently increasing the types of methods utilized to encrypt data.”
READ MORE DATA BREACH LEGAL NEWS
Dow Jones is said to have reported that a government source called the data breach one of the largest thefts of government data ever.
That statement from the unnamed government source suggests that thefts of government data have happened before. Will they happen again? And will business and government ever win back the trust of a consumer continually blindsided by data breaches to supposedly secure, impenetrable systems?
We may never know. Little wonder, however, that so many victims are turning to a data breach lawsuit as a means to achieve some level of compensation, and to send a message that the status quo remains unacceptable.