The US Office of Personnel Management has admitted that the widely-publicised data breach in June was more wide-reaching than at first thought.
The OPM has now publicly recognised that data records of 21.5 million people have been lost after hackers targeted central databases. The 21.5m records include present, former, and prospective government employees and contractors – essentially anyone seeking security clearance.
This is in addition to the 4m people whose records OPM had already confessed to having lost.
The new data is much more detailed background check information, which includes information about family members and acquaintances, employment history, health and financial records, interview transcripts, usernames and passwords, and even fingerprints, The Register reports.
“Certainly, during the Cold War nobody would have thought of OPM as a target for identity theft or espionage,” National Security Council cybersecurity coordinator Michael Daniel reportedly said during a press conference call on Thursday. “Just the nature of paper files and the way that we thought about information didn’t lend itself to that”.
Although some have blamed interests in China for the hack, officials remained tight-lipped, saying that investigations are still ongoing: “Just because we’re not doing public attribution does not mean that we are not taking steps to deal with the matter,” Daniel said.
As We Live Security reported earlier in the week, a system called Electronic Questionnaires for Investigations Processing (e-QIP) used to make background checks has been suspended following the attacks. In a security review, a vulnerability was discovered in the vetting program, leading to its suspension.
“The security of OPM’s networks remains my top priority as we continue the work outlined in my IT Strategic Plan, including the continuing implementation of modern security controls,” OPM Director Archuleta said at the time.
by Karl Thomas, ESET