Fedweek

More concerning to many is the separate breach of security clearance application files, which happened earlier though it was discovered later, and almost certainly involves far more people. OPM still has not even estimatedhow many, though, saying the widely reported 18 million figure was a preliminary estimate by law enforcement agencies of how many Social Security numbers are in those files. Another number circulated by some on Capitol Hill, 32 million, apparently is based on the total of persons on whom background checks have been performed for any reason, including entry into military service. OPM has not said how far back the affected records go (the generally accepted estimate is about 30 years); exactly what information was compromised (the SF 86 clearance application form at issue requires disclosures of personal histories that go far beyond identifying and basic career information in the personnel records); whether the clearance file information was stolen or only accessed (experts believe it was stolen); whether any information in the files was altered, for example to add or remove information about an employee that could affect a clearance decision (officials have said that is possible); how or when OPM will notify affected persons (which potentially includes contractor employees and military personnel in addition to federal workers who applied for a clearance); what services will be offered to them; and how much all that might cost. OPM’s continued warnings that yet more problems may be discovered have added to the anxiety—as did its announcement earlier this week that it had detected a vulnerability in “E-QIP,” a system for submitting clearance applications online, and was suspending its use for up to six weeks. Even before that announcement, there were growing calls from Congress for a change in OPM’s leadership, including a letter from most Republicans on the key House committee saying that OPM has “failed to correct serious vulnerabilities” in its computer security despite having been warned repeatedly in IG audits going back eight years. OPM has responded by describing steps it took previously and additional ones currently underway or planned, and has continued to blame difficulties in making older computer systems secure per today’s standards. However, the IG’s office has responded that many of the systems involved were not outdated and has expressed a lack of confidence in OPM’s ability to successfully carry out its plans.