I have received a number of data breach notification letters over the past several years—from health insurance providers, from websites, from retail stores and schools—but none more chilling than the letter that arrived this week from the U.S. Office of Personnel Management. I should have expected it, but somehow it still caught me off guard, made me angry, even made me a little scared.
“You are receiving this notification because we have determined that your Social Security Number and other personal information was included in the intrusion,” OPM Acting Director Beth Cobert wrote to me. “As someone whose information was also taken, I share your concern and frustration and want you to know we are working hard to help those impacted by this incident.” Strangely, I did not find it especially comforting to hear that the current director of OPM is every bit as susceptible to compromise as I am.
Also reassuring was her update that the “information in our records may include your name, Social Security number, address, date and place of birth, residency, educational and employment history, personal foreign travel history, information about immediate family as well as business and personal acquaintances, and other information used to conduct and adjudicate your background investigation.” As I mentioned, I’ve had data stolen before: credit card numbers, health insurance records, login credentials, you name it. But I’ve never had data stolen at this scale before—and I’ve never had data stolen that also jeopardizes my friends and family.
For those of you who have never had a security clearance, it involves not just dredging up and recording every minute detail of your life (everywhere you’ve lived, every job you’ve ever held, every trip you’ve ever taken, every potentially embarrassing or blackmail-worthy moment of your existence) but also a considerable amount of information about other people (your relatives, neighbors, bosses, roommates, exes, friends in foreign countries—their full names, addresses, telephone numbers, citizenship). As Jamie Winterton wrote in Future Tense in July, “While the questions felt intrusive at times, I understood the reasons for them, and I trusted that my information would be guarded closely. But that trust was broken.”
The letter, which arrived five months after the announcement of the OPM breach, offered me and my (nonexistent) “dependent minor children” three years of free credit and identity monitoring services—a laughable attempt at damage control. What about the dozens of other people I provided information about—who’s going to tell them? Who’s going to monitor their credit and identities?
I’ll go home for Thanksgiving later this week and tell my family members that they may be at risk and there’s nothing I can do about it beyond urge them to monitor their credit and issue a credit freeze. Am I also supposed to awkwardly call up old friends and former acquaintances and let them know that they may be impacted, like I’ve just been diagnosed with some kind of digital STI? I don’t even remember all the people I’ve listed on SF-86 forms over the past six years—much less how to reach them.
The government has estimated that roughly 21.5 million people had their Social Security numbers compromised in the breach, including 19.7 million applicants for security clearances and 1.8 million of their relatives and associates. Of those people, 5.6 million also had their fingerprints compromised, and all of those numbers are a dramatic increase from the initial estimates released over the summer, when the government thought only 4 million people had been affected by the breach with 1.1 million fingerprint records compromised. But it’s not clear that even the revised numbers include the people whose Social Security numbers weren’t compromised, but whose names, addresses, birthdates, and contact information were listed on forms. Since completing an SF-86 form requires listing that information for at least a dozen friends, family members, and roommates, I have to imagine that total number would dwarf the 21.5 million figure.
It’s frustrating that the U.S. government went to all the trouble to collect information on the (painfully boring) minutiae of my life in the name of protecting national security only to leave that information woefully unprotected. Some of the stolen data I know how to deal with—credit freezes, identity theft insurance. Some of it I frankly don’t. (“Our records also indicate your fingerprints were likely compromised during the cyber intrusion,” the letter states. “Federal experts believe the ability to misuse fingerprint data is currently limited. However, this could change over time as technology evolves.” What do I do then? File them off my fingers?)
But at least I chose to work for the government, at least I voluntarily turned over the information that was stolen about me, at least I got a letter (five months later) notifying me that my data was compromised, at least I have three years of monitoring and protection (surely enough time to file off my fingerprints), at least I have led such an astoundingly unadventurous and law-abiding life that my clearance turned up no particularly interesting or exotic secrets that would leave me open to future blackmail. That’s not a whole lot to be thankful for this week, but it’s more than I can say for some of the people affected by the breach, especially all of the people I inadvertently put at risk, the people who had no say in any of this and may not even know their information is out there (unless they see this article).
I know, as the letter reminds me, that everyone at OPM is suffering these same frustrations. I give them credit for warning us explicitly in the letter not to release any personal information to anyone pretending to be a representative of OPM or the identity theft protection service they’re providing (though I wish that warning had been distributed to people much sooner). All the same, I wish they would take greater responsibility for notifying and protecting all of the other people impacted by this breach besides current and former government employees—the friends and family members of those employees whose information also appeared in the stolen records because the government’s screening processes required it.
At the bottom of the letter, under Cobert’s signature, is a footer with the URLs for the OPM and USAJobs websites, as well as OPM’s mission statement: “Recruit, Retain and Honor a World-Class Workforce to Serve the American People.” I have to imagine that the line is merely included out of habit, and not as a form of ironic commentary. But besides all the other direct damage this breach has caused—and will yet cause—it’s hard not to see it as a major setback to every component of that mission.
This article is part of Future Tense, a collaboration among Arizona State University, New America, and Slate. Future Tense explores the ways emerging technologies affect society, policy, and culture. To read more, visit the Future Tense blog and the Future Tense home page. You can also follow us on Twitter.