CRS Insights
OPM Data Breach: Personnel Security Background Investigation Data
Michelle D. Christensen, Analyst in Government Organization and Management (mchristensen@crs.loc.gov, 7-
0764)
July 24, 2015 (IN10327)
In a July 9, 2015, news release
on the cyber-intrusions of its systems, OPM "concluded with high confidence that
sensitive information, including the Social Security Numbers (SSNs) of 21.5 million individuals, was stolen from
the background investigation databases." OPM's background investigation databases contain sensitive personal
information on individuals (including congressional staff) who have undergone a personnel security background
investigation as part of the security clearance process. This sensitive personal information may include financial
and credit data, details on alcohol or illegal drug use, names of foreign contacts, or mental health information.
OPM's systems also contain information on individuals without security clearances, but who have undergone a
background investigation for other reasons. For example, OPM conducts background investigations on individuals
whose positions involve policymaking, law enforcement, or other responsibilities that demand a great deal of
"public trust," even if the positions do not require access to classified materials.
According to OPM, the breach includes data from 19.7 million current, former, and prospective employees and
contractors who applied for a background investigation after 2000. Additionally, the breach includes personally
identifiable information of 1.8 million non-applicants, which OPM states are primarily "spouses or co-habitants of
applicants." OPM also confirmed that "the usernames and passwords that background investigation applicants
used to fill out their background investigation forms were also stolen," and that some of the records compromised
by the breach include fingerprints.
The investigation into the OPM breach is ongoing. This CRS Insight provides information on the types of data that
may be collected in a typical personnel security background investigation and is not an official statement of the
data that was compromised in the OPM breach.
What Information Is Collected on OPM's Background Investigation Forms?
The information collected will depend on the applicant's position and the type of background investigation
required. OPM uses three standard forms for background investigations: SF-85, SF-85P, or SF-86 form. The forms
are typically submitted electronically using OPM's Electronic Questionnaires for Investigations Processing (e-QIP)
system. OPM had suspended use of e-QIP "for security enhancements," but re-enabled the system on July 23,
2015.
Data Collected for Non-Sensitive Positions
The eight-page SF-85 is required for applicants to non-sensitive positions (e.g., positions that do not require a
security clearance) who require physical access to government facilities and who are in positions with a "low risk"
to cause damage to the federal government or national security. The responsibilities of these positions are limited
and there is little opportunity to use such positions for personal gain. For this reason, the information collected is
relatively limited in scope and includes
full name, aliases, and SSN;
citizenship information;
employment information and addresses for the past five years; and
information on use or possession of illegal drugs (including marijuana) in the previous year.
Data Collected for "Positions of Public Trust"
