I've Been Mugged Blog

Update on the massive data breach at the Office of Personnel Management (OPM). After discovering in April 2015 that the sensitive personal information of 4.2 million persons was compromised, on July 9 the OPM announced that the number of affected persons was far larger:

"... OPM discovered that additional information had been compromised: including background investigation records of current, former, and prospective Federal employees and contractors. OPM and the interagency incident response team have concluded with high confidence that sensitive information, including the Social Security Numbers (SSNs) of 21.5 million individuals, was stolen from the background investigation databases. This includes 19.7 million individuals that applied for a background investigation, and 1.8 million non-applicants, primarily spouses or co-habitants of applicants. Some records also include findings from interviews conducted by background investigators and approximately 1.1 million include fingerprints. Usernames and passwords that background investigation applicants used to fill out their background investigation forms were also stolen."

Additionally, The OPM has not yet notified all affected persons. It has promised to provide free credit monitoring services to persons whose Social Security numbers have been compromised or stolen.

As a result of the massive breach, OPM Director Katherine Archuleta resigned on Friday, July 10. Reportedly, the hacking began before Archuleta assumed the director position.

Some news organizations characterized the OPM breach as "epic." While the sensitive data stolen in the OPM breach is very troubling, there have been several larger data breaches, defined by the number of records compromised or stolen. The TJX Companies / TJ Maxx breach affected about 94 million persons. The Heartland Payment Systems data breach affected 130 million persons, affected both retail stores and banks, and resulted in numerous lawsuits. The Sony Playstation Network data breach affected 77 million persons; but totaled more than 100 million persons after adding the 25 million persons affected by the breach at Sony Online Entertainment (SOE). Earlier this year, the Anthem, Inc. breach breach affected 80 million persons, including patients and staff.

Many politicians had called for the OPM Director's resignation. If this is the expectation, then CEOs at corporations with massive data breaches should also lose their jobs, unless shareholders find these massive breaches acceptable.