A spotlight once again fell on the U.S. government’s security technology this summer after hackers and improper data transfers exposed millions of federal employees and contractors. In the largest data breach, hackers stole personal information from 21.5 million federal workers and contractors housed by the U.S. Office of Personnel Management. A separate OPM attack exposed personnel data of 4.2 million individuals. The first breach was discovered in April; investigators discovered the second a month later. U.S. officials pointed to Chinese hackers. In both cases, it appears thieves accessed the data using security credentials stolen from third-party contractors U.S. Investigation Services and KeyPoint Government Solutions. In the second attack, hackers grabbed sensitive information of 19.7 million individuals who had applied for a background check and 1.8 million more non-applicants, including spouses and cohabitants of the applicants. The stolen data included Social Security Numbers, employment details, and health, education, criminal and financial information. The breach also exposed 1.1 million fingerprints and the usernames and passwords applicants used to fill out background investigation forms. Individuals that underwent a background investigation in 2000 or later through the Office of Personnel Management are “highly likely” to be affected, according to the agency. Just a day after the second OPM breach was announced, the federal government’s security systems took another blow. An unrelated breach compromised the personal information of more than 850,000 Army National Guard members. The exposure came after an improperly handled data transfer, showing hackers aren’t the only road to exposed data. The information — including Social Security numbers and home addresses —belonged to roughly 868,000 current and former National Guard Members who have served since 2004. In a July news release, National Guard spokesman Maj. Earl Brown said the data was “was inadvertently transferred to a non-[Defense Department]-accredited data center by a contract employee.” The leak highlighted the importance of high security measures for third-part contractors. “I don’t think this is a terrible surprise that something like this would happen,” Ken Levine, president and CEO of vendor Digital Guardian, told crn.com. “I think it certainly shows that as government agencies and even corporations, they have suppliers, they have third parties all the time handling sensitive data, and if they don’t have some automated processes in place to control the flow of data then things like this will happen.” Both the Army National Guard and the Office of Personnel Management offered resources for those affected. The OPM’s Cybersecurity Resource Center outlines what those impacted can do to protect themselves; the agency is offering 18 months of identity protection and restoration service.
