During a June 23, 2015 Congressional hearing, officials from the U.S. Office of Personnel Management (the “OPM”) testified that a recent breach of its data systems may have affected personal information (including social security numbers) of as many as 18 million current, former, and prospective government employees. In early June, the OPM publicly disclosed that it had been the victim of a data breach involving the personnel records of approximately 4 million current and former government workers. Last week, Administration officials acknowledged that the OPM data breach had also included the theft of information related to the background investigations of current, former, and prospective U.S. government employees.
Officials from the OPM were criticized during the Congressional hearing for not providing complete and timely information about the breach, as media reports have alleged that the theft of the background investigation information was known to the administration at the time the OPM publicly announced the breach involving personnel records. Media reports have generally attributed the cyber theft from OPM systems to Chinese hackers; an allegation not publicly confirmed by the U.S. government and denied by the Chinese government.
Administration officials have maintained that the cyber thefts from OPM systems involved two separate attacks – the first (announced on June 4) involving the personnel records and the second (announced June 12) involving the security clearance forms. This approach has frustrated lawmakers, who feel all information about the full scope of the breach should have been disclosed by the OPM as soon as it was known, rather than disclosing pieces of information over a week and, as lawmakers have asserted, arguably minimizing the severity of the incident. In response to this criticism, an OPM spokeswoman said that the agency had been “completely consistent” in its accounting of the breach, and continued that “[a]s the investigation into the personnel records intrusion continued, it was discovered that the OPM systems containing information related to the background investigations of current, former and prospective federal government employees…may also have been compromised,” and that Congress was appropriately notified. However, on June 5th, a day after the breach was first announced, another OPM spokesman said there was “no evidence to suggest that information other than what is normally found in a personnel file has been exposed.’’According to news reports, by that time, the FBI already knew, and had told OPM and administration officials, that background investigation information had been accessed.