GRAFENWOEHR, Germany—The two cyber breaches of Office of Personnel Management databases that came to light over the summer may no longer be front-page news, but for many people associated with the Department of Defense, the story is not over.
OPM’s director, Beth Cobert, posted a blog Oct. 1 outlining the process of notifying the 21.5 million federal employees, contractors and military service members impacted by the more recent breach in June.
OPM is now mailing letters via U.S. Postal Service to all those impacted. The letters describe the credit monitoring and identity theft protection services being provided for at least three years and include the PIN number necessary to enroll in the services.
Cobert’s post stresses that individuals will receive their notification only via mail, not through email, and that no one from OPM or working on behalf of OPM will contact individuals to ask for personal information.
Given the number of individuals who need to be contacted, the notification process could take up to 12 weeks. (An Oct. 28 article on Federal News Radio reports that 3.7 million individuals had been contacted as of the article’s posting.)
Individuals who may have been impacted are strongly advised to monitor OPM’s Cybersecurity Resource Center for updates, Frequently Asked Questions and other information. To receive an email when the Resource Center website is updated, sign up for OPM’s cybersecurity email list.
The following overview is condensed from the Cybersecurity Resource Center.
Background investigation records of current, former and prospective federal employees, contractors and service members were stolen in a June 2015 cyber breach of OPM background investigation databases. The total number impacted by this incident, 21.5 million, includes not only the 19.7 million applicants who had submitted information for a new or renewal background investigation, but also 1.8 million other individuals, mostly family members, whose information was submitted on applicants’ forms.
What information was exposed?
The compromised background investigation records included Social Security Numbers, current and former addresses, educational and employment histories, information about professional acquaintances and family, and details about health, financial and criminal status. Some records also included usernames and passwords used to fill out forms online, and findings from interviews conducted by investigators. About 5.6 million of the records included fingerprints.
Who was affected?
In the June incident, 21.5 million people had their Social Security Number and other identifying information stolen, including current and former service members, current and former civilian employees (both Appropriated Fund and Non-Appropriated Fund), current and former federal contractors, and spouses, children and other close contacts of the above groups.
Those who had a background investigation through OPM in 2000 or later are highly likely to be affected. Those who had a background investigation prior to 2000 may still be affected, but it is less likely.
What is OPM doing to help those impacted?
Those affected by the background investigation incident will receive a notification letter and PIN code in the mail providing details on the services available at no cost until Dec. 31, 2018. The services include continuous identity and credit monitoring, identity theft insurance and identity restoration.
What can I do now if I think I may be impacted?
For those who think they may be impacted but have not yet received a notification letter, the Resource Center initially listed several steps to take, including these:
In answer to several recent FAQs, OPM has also posted the following:
“The Government is working to set up a resource to assist individuals who have either lost their PIN code or believe their data may be impacted but have not yet received a notification letter. This resource will allow you to request your PIN if you are impacted and also enter your address. More information on this resource will be available soon. Regular updates will be made to www.opm.gov/cybersecurity to explain how to access this resource. You can sign up here to subscribe and automatically receive updates.”