Agencies Finally Move to Stronger Sign-ons as OPM Breach Widens to 21 Million


Officials now say the massive breach of background check and personnel files housed by OPM has spurred federal agencies into taking action to secure their networks.

Obama administration officials finally provided estimates Thursday for the total number of federal employees and contractors affected by a breach of Office of Personnel Management databases holding background check data on millions of national security personnel.

And officials now say the massive breach of background check and personnel files housed by OPM has spurred federal agencies into taking action to secure their networks.

Some 20 percent more federal agencies have done away with simple password logins in favor of stronger sign-on measures, according to the Obama administration.

The change comes amid one of the most devastating hacks of government data ever -- and more than a decade after a presidential directive mandated all government systems be upgraded to require smart cards and passcodes for access.

Overall, hackers stole data on a total of 21.5 million federal employees and contractors, OPM Director Katherine Archuleta announced Thursday. Most of those impacted had applied for security clearances, although it also includes data on more than 1.8 million family members of clearance seekers.

The total number affected is five times larger than a previous breach of federal employee personnel records disclosed by OPM last month.

Days after the government disclosed the first hack, the White House on June 12 directed all agencies to run a "30-day Cybersecurity Sprint" that ends Sunday.

The emergency cyber cleanup concentrates on instituting so-called two-factor authentication of users with broad network access; monitoring networks for signs of known hacker operations; and patching years-old as well as new security vulnerabilities.

"As we're nearing the end of the 30-day sprint, I have positive results to report,” U.S. Chief Information Officer Tony Scott said in a call with reporters Thursday. “In several areas, we've dramatically increased" the number of two-step verification for privileged users signing into networks governmentwide. "A number of agencies have hit 100 percent and, broadly across the government, it's increased by more than 20 percent. So, good results in that arena."

About 59 percent of users at the major federal agencies were still only using passwords to login last year, according to the Government Accountability Office.

Scott said there will be various reports issued in the coming weeks laying out progress on some of the items included in the cyber sprint. Left unsaid was how many other breaches were discovered while probing vulnerabilities and looking for signs of compromise.

OPM Director Katherine Archuleta said she plans to stay in office to enhance her agency's security posture, despite continued insistence from Republicans and some Democrats that she depart from OPM over her agency’s handling of cybersecurity.

Archuleta also announced a separate review of protections undergirding the security clearance and background investigation system. The 90-day assessment will be conducted by an interagency team made up of the Office of Management and Budget, OPM and the Office of the Director of National Intelligence, along with the departments of Defense, Homeland Security and Energy.

Late last month, OPM temporarily pulled the plug on an online tool used to submit background check forms because of an unspecified security hole. The system, called e-QIP, remains down.

DHS on Thursday finally disclosed the findings of a forensic investigation into the second of the two recent break-ins at OPM. The second intrusion to be disclosed last month affected background histories and investigative interviews involving applicants for clearances to handle U.S. secrets. Details on the first intrusion, which exposed the Social Security numbers and other identification data of past and current government employees, were first made public June 4.

"These are separate but related [incidents], but it was the same actor moving between different network, at least that is what the investigation right now indicates," said Andy Ozment, assistant secretary of DHS’ Office of Cybersecurity and Communications.

The forensics for the background check breach "were extremely complicated and that's one of the reasons why it has taken additional time to get to the facts of the matter here," Ozment said. "We were only able to confirm recently that some data had been, in fact, stolen, and OPM has spent the last few weeks working to identify which data exactly was taken."

Federal officials said investigations are ongoing.

Officials declined to publicly identify attackers, but suggested they might already be contemplating a strategic response.

"We are exploring all the different options that we have, and we're not really prepared to comment at this time on the attribution behind this event," White House Cyber Coordinator Michael Daniel said. "What I will say is that we are continuing to look at all the different ways and all the different tools that we have to respond, and just because we're not doing public attribution does not mean that we are not taking steps to deal with the matter."

(Image via jijomathaidesigners/