The Office of Personnel Management has extended credit monitoring and identity-theft protection to just a fraction of the victims of the recent breaches on its personnel databases. Many more — including federal employees’ family members and contractors — are wondering if and when they’ll be offered the same treatment.
“Contractors are hoping for OPM guidance,” said Alan Chvotkin, executive vice president of the Professional Services Council. “They don’t want to wait forever.”
OPM has offered services to the 4.2 million current and former federal employees whose data was compromised in a breach on the agency’s personnel database. But to date, OPM has not notified any potential victims of the second, larger breach on its database that stores completed security clearance forms known as SF-86s. In Congressional testimony earlier this week, agency director Katherine Archuleta refused to confirm or deny speculation that as many as 32 million people could be affected, citing the ongoing law enforcement investigation. Regardless, the final number is likely to represent decades of federal employees, job applicants, and contractors who have filled out the forms in order to access classified government information.
The form asks probing questions about applicants’ personal and professional histories, including whether they’ve ever had trouble with the law, sought counseling or had drug problems. Often an applicant might put down information that they have not shared with anyone, said Evan Lesser, managing director of ClearanceJobs.com.
Insight by Confluent: Learn about how agencies are benefitting from that concept of data-in-motion to improve mission outcomes in this exclusive e-book.
“Everyone has skeletons in their closet, but would you want your employer knowing about it?” he said. “And if your spouse doesn’t know about it, would you want them knowing about it?”
Such secrets may leave security-clearance holders vulnerable to corruption or blackmail, as government officials have warned over the past few weeks.
Nearly a million federal contractors hold security clearances, according to the Director of National Intelligence’s office. Yet OPM has not reached out to contractors directly, Chvotkin said.
In OPM’s absence, some companies have offered to pay for credit monitoring for their cleared employees as a proactive step. Chvotkin said he had spoken with four companies that made that decision. But others have not done so because they fear credit monitoring alone cannot make their employees safe.
One company considered, but ultimately rejected, credit monitoring out of fear that it would not be enough to guarantee employees’ safety, he said.
“It won’t address the risk of exposure that their employees now face,” Chvotkin said. “They aren’t concerned about whether someone is going to open a bank account with [the employee’s] information or steal their tax returns.”
That company is watching its employees with security clearances more carefully. It plans to double down on continuous monitoring of the employees’ email and other technology, he said.
The SF-86 also requires that applicants list detailed information about their relatives, work associates, ex-spouses and others in their lives. Yet OPM is not offering credit monitoring services to family members of breach victims.
That has infuriated some federal employees, who fear that their family members might be vulnerable too.
“I received my notification, but when I went to sign up for the credit monitoring, my spouse was specifically excluded from coverage,” said Jim Stevens, who works for Naval Sea Systems Command. “On the SF-86 form, we are required to give all the same personal information for our spouses (name, Social Security number, date and place of birth, and current or former addresses) that OPM stated as the reason we were being notified. That would double again the amount of people affected by the breach. When is OPM going to address the affected spouses and do the right thing?”
OPM dismisses the idea that spouses need the same protection. It states on its website, “At this time, we have no evidence to suggest that family members of employees were affected by the breach of personnel data.”
An agency spokesperson’s comment suggests that conclusion might be temporary, however.
“Since the investigation is ongoing, additional exposures may come to light. In that case, OPM will conduct additional notifications as necessary,” they said.
The agency probably should offer credit monitoring and identity protection services to clearance applicants’ family members, but it may be holding back because of the logistics and expense of serving so many people, Lesser said.
“If you think that each person with a security clearance has probably listed at least 10 people within their SF-86 that they have some contact with, you’re looking at a gigantic number of people. That’s something that even the federal government couldn’t keep up with,” he said. “They’ll probably just advise people to be vigilant.”
Want to stay up to date with the latest federal news and information from all your devices? Download the revamped Federal News Network app
There is precedent, however. The health insurer Anthem earlier this year offered identity theft protection to about 80 million people after hackers broke into its database.
Rep. Chris Van Hollen (D-Md.) sent a letter to Archuleta today, asking that OPM extend identity theft protection for everyone potentially impacted by the two cyber breaches the agency sustained.
“A recent report released by the Federal Bureau of Investigations indicated that the cyberattack is likely to have impacted a significantly larger number of federal workers than has been reported by your agency,” Van Hollen wrote. “According to the FBI, more than 18 million people may have been affected by the data breach as a result of hackers gaining access to information contained in security clearance documents. Even that number may be a conservative estimate given that it does not account for the personally identifiable information of family members and references which is also contained in these forms.”
Van Hollen said that OPM should offer identity theft protection to the victims of the second data breach.
“This should include the millions of people whose information was accessed when background check files were compromised. Furthermore, the timeline for the protection should be extended beyond the 18 months initially offered by OPM to account for the fact that the number of people potentially affected continues to grow.”
A coalition of federal labor unions and other groups that represent 5 million current and former federal employees and their families is asking the White House to step in. Information shared thus far has been “woefully insufficient” and OPM’s offers to data breach victims have been “woefully inadequate,” the Federal-Postal Coalition writes.
Addressing its letter to President Barack Obama, the coalition said, “The responsibility to correct what has transpired and to put the nation on a new course rests with you as the Chief Executive. This involves greater communication with federal workers and retirees, the organizations that represent them, and others impacted; heightened accountability; and the application of more aggressive safeguards to protect federal IT systems, including workforce databases.”
The group does not call for the ouster of OPM Director Katherine Archuleta. But others are. Following a week of Congressional hearings on the breaches, House Republicans today sent Obama a letter asking that he fire Archuleta and OPM Chief Information Officer Donna Seymour.
They said OPM failed to follow “basic cybersecurity best practices that should have been addressed years ago.”
“Simply put, the recent breach was entirely foreseeable, and Director Archuleta and CIO Donna Seymour failed to take steps to prevent it from happening despite repeated warnings,” they wrote.
The letter is signed by House Oversight and Government Reform Committee Chairman Jason Chaffetz (R-Utah) and 17 other GOP members.