21 Million More US Personnel Exposed in Second Attack

feds lose 21 million identities OPMThis morning the Office of Personnel Management (OPM) announced that the background check data on applicants for all government jobs since 2000 is “highly likely” compromised. The OPM’s computer network was breached in May and sensitive information including social security numbers for over 21 million Americans was stolen. This hack was discovered as a result of forensic investigation launched by the OPM in response to another hack that happened last month.

June’s hack resulted in OPM telling The Associated Press the breach had claimed only 14 million identities. The Feds pointed fingers towards China, who publicly denied involvement. Though, not all American bureaucrats looked to blame foreign governments.

“Federal employees entrust highly personal information to OPM with the expectation that it will be kept confidential and safe from unauthorized access. OPM’s failure to do so violated our members’ constitutional right to informational privacy,” the National Treasury Employees Union announced.

That’s Not How Security Works

The OPM announced today that since 2013 it has taken aggressive steps to upgrade the security of the agency’s computer systems. As a “direct result” of those upgrades OPM says it “was able to identify two separate but related cybersecurity incidents on its systems.”

Also read Corporate Spies Hack Billion Dollar Corporations

To compensate the owners of the Feds lost 21 million identities OPM will provide victims with three years of identity theft protection from a private sector firm. Minor children of the victims will receive identity monitoring at no charge. Over the next few weeks OPM will send informational packages to affected individuals.

Feds Sue the Feds

That’s not good enough for the National Treasury Employees Union (NTEU). In a separate announcement the NTEU declared the irresponsibility violated the 4th amendment constitutional rights of its members.

“It is outrageous that OPM was told years ago that its cybersecurity protections were woefully inadequate but did little about it. On top of it, OPM has done little to dispel the anxiety that NTEU members are experiencing,”said NTEU National President Colleen M. Kelley.

In their lawsuit they ask the court to:

• Declare that OPM’s failure to improve cybersecurity was an unconstitutional act;

• Order OPM to pay for lifetime credit-monitoring services and identity-theft protection for NTEU members;

• Order OPM to take all the necessary steps to heighten its IT security program and protect NTEU members’ data from falling into the hands of hackers in the future; and

• Prevent OPM from collecting personal information from NTEU members electronically or requiring them to submit such data in an electronic form until the court is satisfied with the agency’s cybersecurity upgrades.

Images from Ted Eytan, US Office of Personnel Management

Big? Little? It's all Endian