The U.S. Office of Personnel Management (OPM) recently became aware of a cybersecurity incident affecting its systems and data that may have exposed the personal information of current and former Federal employees.
Beginning June 8 and continuing through June 19, 2015, OPM will be sending email and U.S. mail notifications to current and former Federal employees potentially impacted by the incident. Email notices will be sent from email@example.com. Standard letters will be sent to individuals for whom OPM does not have an email address.
The communication will contain information regarding services being provided at no cost to individuals impacted by the incident, including credit report access, credit monitoring, identity theft insurance, and recovery services. Additional information will be made available beginning at 8 a.m. CST on June 8, 2015 at www.csid.com/opm.
A letter from the DoDEA Director has been sent to each DoDEA employee's official email account.
Employees on leave may access their email accounts through the internet using their CAC card from the DoDEA employees page (Choose Outlook Web Access).
For additional information and the latest news from OPM, please visit the OPM Announcements page.
I am writing to provide an update on the recent cyber incidents at the U.S. Office of Personnel Management (OPM). We are committed to providing you updates as soon as they are available and we are reaching out today to share updated information from OPM. The information below can be found on OPM's new, online incident resource center - https://www.opm.gov/cybersecurity. This site will offer information regarding the OPM incidents and will direct individuals to materials, training, and useful information on best practices to secure data, protect against identity theft, and stay safe online.
Update from OPM:
Yesterday, the U.S. Office of Personnel Management (OPM) announced the results of the interagency forensics investigation into a recent cyber incident involving Federal background investigation data and the steps it is taking to protect those impacted. DoD and OPM will continue to provide additional information going forward.
Background on the intrusion into OPM's systems. Since the end of 2013, OPM has undertaken an aggressive effort to upgrade the agency's cybersecurity posture, adding numerous tools and capabilities to its various legacy networks. As a direct result of these steps, OPM was able to identify two separate but related cybersecurity incidents on its systems.
Yesterday, OPM announced the results of the interagency forensic investigation into the second incident. As previously announced, in late-May 2015, as a result of ongoing efforts to secure its systems, OPM discovered an incident affecting background investigation records of current, former, and prospective Federal employees and contractors. Following the conclusion of the forensics investigation, OPM has determined that the types of information in these records include identification details such as Social Security Numbers; residency and educational history; employment history; information about immediate family and other personal and business acquaintances; health, criminal and financial history; and other details. Some records also include findings from interviews conducted by background investigators and fingerprints. Usernames and passwords that background investigation applicants used to fill out their background investigation forms were also stolen.
While background investigation records do contain some information regarding mental health and financial history provided by those that have applied for a security clearance and by individuals contacted during the background investigation, there is no evidence that separate systems that store information regarding the health, financial, payroll and retirement records of Federal personnel were impacted by this incident (for example, annuity rolls, retirement records, USA JOBS, Employee Express).
This incident is separate but related to a previous incident, discovered in April 2015, affecting personnel data for current and former Federal employees. OPM and its interagency partners concluded with a high degree of confidence that personnel data for 4.2 million individuals had been stolen. This number has not changed since it was announced by OPM in early June, and OPM has worked to notify all of these individuals and ensure that they are provided with the appropriate support and tools to protect their personal information.
Analysis of background investigation incident. Since learning of the incident affecting background investigation records, OPM and the interagency incident response team have moved swiftly and thoroughly to assess the breach, analyze what data may have been stolen, and identify those individuals who may be affected. The team has now concluded with high confidence that sensitive information, including the Social Security Numbers (SSNs) of 21.5 million individuals, was stolen from the background investigation databases. This includes 19.7 million individuals that applied for a background investigation, and 1.8 million non-applicants, predominantly spouses or co-habitants of applicants. As noted above, some records also include findings from interviews conducted by background investigators and approximately 1.1 million include fingerprints. There is no information at this time to suggest any misuse or further dissemination of the information that was stolen from OPM's systems.
If an individual underwent a background investigation through OPM in 2000 or afterwards (which occurs through the submission of forms SF 86, SF 85, or SF 85P for a new investigation or periodic reinvestigation), it is highly likely that the individual is impacted by this cyber breach. If an individual underwent a background investigation prior to 2000, that individual still may be impacted, but it is less likely.
Assistance for impacted individuals. OPM is also announcing the steps it is taking to protect those impacted:
Providing a comprehensive suite of monitoring and protection services for background investigation applicants and non-applicants whose Social Security Numbers, and in many cases other sensitive information, were stolen - For the 21.5 million background investigation applicants, spouses or co-habitants with Social Security Numbers and other sensitive information that was stolen from OPM databases, OPM and the Department of Defense (DOD) will work with a private-sector firm specializing in credit and identity theft monitoring to provide services such as:
The protections in this suite of services are tailored to address potential risks created by this particular incident, and will be provided for a period of at least 3 years, at no charge.
In the coming weeks, OPM will begin to send notification packages to these individuals, which will provide details on the incident and information on how to access these services. OPM will also provide educational materials and guidance to help them prevent identity theft, better secure their personal and work-related data, and become more generally informed about cyber threats and other risks presented by malicious actors.
The notification package that will be sent to background investigation applicants will include detailed information that the applicant can provide to individuals he or she may have listed on a background investigation form. This information will explain the types of data that may have been included on the form, best practices they can exercise to protect themselves, and the resources publicly available to address questions or concerns.
In conclusion, I want you to know that I am as concerned about these incidents as you are, and we want to ensure you that we are in constant contact with OPM. The Department's entire leadership is committed to providing you with the most recent resources and support, and we want to keep on hearing from you. Please send your feedback and questions to DOD.DATA.BREACH.QUESTIONS@MAIL.MIL.
Thomas M. Brady
I am writing to provide an update on the recent cyber incidents at the U.S. Office of Personnel Management (OPM). OPM is working hard to improve customer service, complete the interagency forensics effort, and conduct a comprehensive IT systems review. We have heard many of your questions and concerns about these incidents which we will address here.
First, OPM is working to complete the process of notifying individuals whose personally identifiable information (PII) may have been compromised by the incident involving personnel records announced on June 4th. All notices have been sent by letter or email. Notification letters were sent by first class mail late last week to those individuals from whom an email bounce back message was received.
As we have mentioned in our previous communications, OPM is offering credit monitoring services and identity theft insurance with CSID, a company that specializes in identity theft protection and fraud resolution. This comprehensive, 18-month membership includes credit report access, credit monitoring, identity theft insurance, and recovery services, and is available immediately at no cost to affected individuals identified by OPM.
All affected employees are automatically enrolled in identify theft insurance with $1 million in potential coverage and identity restoration services - which means that if your information was affected by the breach, you are already enrolled in these programs even if you have not yet contacted CSID.
Affected employees are also being provided the option to sign up through CSID for credit monitoring and other identity monitoring services. To take advantage of these additional free services, employees will have call and register with CSID. The FAQs below provide some more detail on these services.
We encourage DoDEA's employees who want to sign up for credit monitoring and other identity monitoring services to wait until they receive notifications before calling CSID to allow for others who were notified and need technical assistance to get through. Notifications may still take several days to arrive as we are still sending letters to a number of individuals. Once OPM has completed these mailings, we will provide you with information on how to contact CSID if you think you should have been notified, but have not been.
As mentioned, we have heard your concerns regarding these notifications and CSID's customer service - and we have been working with OPM to improve the quality of your experience. We understand that many of you are concerned about providing PII to CSID to register for this service. OPM has confirmed that it is not possible for CSID to provide credit monitoring services without your Social Security Number, but that you will still receive identity theft protection even if you do not register.
OPM is continuing to work with CSID to make the online signup experience quicker and to reduce call center wait times. These efforts include expanding staffing and call center hours, and increasing server capacity to better handle on-line sign ups at peak times. CSID has indicated that wait times are dependent on the volume of calls, which are usually highest between 9 a.m. and 10 a.m. CST and from noon to 1 p.m. CST.
Second, regarding the separate but related cyber incident affecting background investigations announced on June 12th, we understand that many of you are concerned and seeking more information. This incident remains under investigation by OPM, the Department of Homeland Security (DHS), and the Federal Bureau of Investigation (FBI). The investigators are working to determine the complete list of affected individuals. Once this information is available, OPM will coordinate with agencies to send notifications to those affected individuals as soon as possible, but this will take some time. We expect to be ready to provide information regarding affected individuals and our notification process during the week of July 6th.
OPM today announced the temporary suspension of the E-QIP system, a web-based platform used to complete and submit background investigation forms. The suspension is to enable OPM to implement security enhancements.
The actions OPM has taken are not the direct result of malicious activity on this network, and there is no evidence that the vulnerability in question has been exploited. Rather, OPM is taking this step proactively, as a result of its comprehensive security assessment, to ensure the ongoing security of its network.
OPM expects e-QIP could be offline for four to six weeks while these security enhancements are implemented. OPM recognizes and regrets the impact on both users and agencies and is committed to resuming this service as soon as it is safe to do so. In the interim, OPM remains committed to working with its interagency partners on alternative approaches to address agencies' requirements.
OPM also continues to update their Frequently Asked Questions which you can find here: www.opm.gov/cybersecurity
We encourage you to review OPM Director Katherine Archuleta's recent blog which also addresses many of these concerns:
http://www.opm.gov/blogs/Director. OPM is the definitive source for information on the recent cyber incidents and we will continue to update you as we learn more information.
The following are also some key reminders of the seriousness of cyber threats and of the importance of vigilance in protecting our systems and data.
Safety of Personal Information Resources from National Counterintelligence and Security Center:
Steps for Monitoring Your Identity and Financial Information
Precautions to Help You Avoid Becoming a Victim
Identity Theft Clearinghouse
Federal Trade Commission
600 Pennsylvania Avenue, NW
Washington, DC 20580