Ever-widening OPM hack includes security clearance database

The impact of the breach of records held by the Office of Personnel Management continues to escalate, with the revelation that records on military and intelligence personnel who have applied for security clearances were taken, putting intimate details of their lives into the hands of hackers apparently from China.

The Associated Press reported Friday that the hack of the security clearance database was separate from the breach disclosed earlier this month, which is itself larger than previously thought. The government initially said involved records on 4 million current and former federal employees and did not include uniformed military personnel. In all, officials now say that records on between 9 million and 14 million people have been compromised.

None of those records are likely more revealing than those for people requesting security clearances. Applicants have to fill out Standard Form 86,  a 127-page form and questionnaire that goes into great detail on the applicant’s life—not just employment, education and residency histories, but information on family, alcohol and drug use, mental illness, credit ratings, bankruptcies, arrest records, civil court actions and a lot more.

OPM said in a statement Friday that records covered “current, former and prospective” federal employees and others who required a background check. Although SF-86 forms wouldn’t have information on where personnel are working, they could be mined for information that could possibly put agents, other personnel or missions at risk, as well as open some up to foreign recruitment.

“This is crown jewels material … a gold mine for a foreign intelligence service,” said Joel Brenner, a former NSA senior counsel, Politico reported. 

In wake of the disclosures, meanwhile, the White House has ordered a 30-day “Cybersecurity Sprint” for agencies to shore up their systems.

Federal CIO Tony Scott on June 12 ordered agencies 30 days to take specific steps to find and fix vulnerabilities and report their progress or explain their lack of it to the Office of Management and Budget and the Homeland Security Department within 30 days, according to an OMB fact sheet. Among the other steps ordered are tightening access policies, speeding up the use of smart ID cards and deploying DHS-provided indicators that could detect an attack or breach and immediately reporting anything that looks amiss.

Meanwhile, a Cybersecurity Sprint Team will review current policies and recommend a new cyber strategy for civilian agencies. The team will be made up of the Homeland Security Department, the Defense Department, OMB's E-Gov Cyber and National Security Unit and the National Security Council’s Cybersecurity Directorate.