FBI Director James Comey says the Office of Personnel Management will soon release new details about the scope of its massive breach.
Testifying before the Senate Intelligence Committee on Wednesday, Comey said the White House is about to release a final tally describing the number of people whose personal data was compromised in the cyber breach.
“I know that the administration, OPM in particular, is working and is close to offering a public and more detailed accounting of what we think was lost. But, it is an enormous breach, and a huge amount of data that is personal and sensitive to federal employees, former federal employees, people who applied for federal employment was available to the adversary… we’re talking about millions and millions of people affected by this,” Comey said.
New details about those affected could add more pressure to the already embroiled agency.
OPM has offered 18 months of free credit monitoring and identity-theft protection to the 4.2 million federal employees — current and former — affected by a breach in the agency’s personnel database. But it’s remained quiet about who has been affected by a second, larger breach of a database that stores information about security clearance forms, known as SF-86s.
As Comey described in his testimony, those security clearance forms contain sensitive information about the family, friends and acquaintances of government workers:
“I’m sure the adversary has my SF-86 now. My SF-86 lists every place I’ve ever lived since I was 18, every foreign travel I’ve ever taken, all of my family, their addresses. So it’s not just my identity that’s affected … I’ve got siblings, I’ve got five kids, I’ve got — all of that is in there, and so the numbers quickly grow far beyond the number of federal employees, which is millions … And so it is a very, very big number. It is a huge deal.”
The 127-page security clearance form asks for exhaustive details such as a list of the applicant’s residences for the past 10 years, plus the information of neighbors with whom they’ve made contact. The document also asks for information about an applicant’s extended family.
OPM currently is not offering credit monitoring or ID protection for the families of federal employees. It states on its website that, “At this time, we have no evidence to suggest that family members of employees were affected by the breach of personnel data.”
Two of the largest federal employee unions, the American Federation of Government Employees and the National Treasury Employees Union, have filed lawsuits against OPM. While the AFGE lawsuit seeks compensation for federal employees affected by the breach, NTEU hopes the court will file an injunction to stop OPM from collecting personal information from government workers until its systems are secure.