In late September, the Office of Personnel Management (OPM) announced it had significantly underestimated the number of fingerprints stolen in last spring’s massive data breach. Originally the estimate stood at 1.1 million; after closer inspection, OPM realized the number more likely to be around 5.6 million. Beyond the 21.5 million records that had been compromised, order this was not the first time the scale of the breach was underestimated.
Yet a better way to understand the scale and costs of the OPM breach is to compare it to another significant leakage of classified documents, courtesy of Edward Snowden.
It’s now been months since both crimes occurred, allowing one to view both with a certain amount of time and distance. And the verdict is in: the OPM data breach was far more detrimental to U.S. national security than Snowden’s thievery.
Here’s why: the People’s Republic of China stole sensitive, non-replicable information from OPM, including addresses and health and financial information from 19.7 million people, and at least 1.8 million from other people who are spouses and friends. FBI Director James Comey noted information stolen included details on people’s neighbors, their travel destinations, and any foreigners with whom they had come in contact.
In the case of the Snowden disclosures, other than what was already released, little is known about what was stolen. This uncertainty adds to the severity of the event because there is a chance what remains in Snowden’s possession could compromise intelligence agents.
However, in the two years since the first disclosures, there has only been one known instance of this actually occurring, and it’s unclear what exactly happened. According to The Sunday Times, some of Snowden’s documents reportedly contained information about how Britain’s MI6 operates. Making matters worse, the Times reported both Russia and China had deciphered the relevant classified documents on its agents. In response, London was forced to move intelligence officers, which according to the British government, had “been doing useful work.”
Furthermore, the OPM breach is also worse than the Snowden disclosures because it might be impossible to mitigate the damage. Some of the most controversial documents Snowden leaked detailed NSA’s surveillance programs, but last summer, Congress debated this issue at great length and eventually passed the USA Freedom Act. Under the Act’s provisions, NSA is now required to seek records from phone companies, and they must use a “specific search term” to limit the scope of the search. Although many might–and did–argue it is not a solution and introduce new national security vulnerabilities, it is however proof that these controversial programs can be altered.
On the other hand, the personal information that was stolen from the OPM cannot so easily be changed. That is, the data cannot be swapped out if we expect U.S. government employees to remain effective. During a briefing, Director Comey said: “There is a treasure trove of information about everybody who has worked for, tried to work for, or works for the United States government. Just imagine you are an intelligence service and you had that data, how it would be useful to you.”
The only effective way to prevent the sensitive information stolen from the OPM from harming either those affected or the interests of our country would be to replace every person whose information was stolen. However, that is not a solution because the victims of the breach were likely, as the British agents were, “doing useful work.” The U.S. government cannot simply remove millions of employees from duty.
To be sure, considering how recent both the OPM breach and the Snowden disclosures are it is likely the “ultimate cost”—however defined—of each remains unknown. For this reason, it remains possible the repercussions from the documents released by Edward Snowden could prove to be more harmful than the OPM breach.
But for right now, given how OPM’s breach directly affected millions of government workers who work on sensitive issues personally, its pernicious effects will be felt for a generation or more.
Sam Kramer is a research assistant for Overt Action.