tl;dr: OPM database was tied to 007 database, but also to State Dept. Passport database, DOD service records, and
pass-through access to a complete set of other extraordinarily sensitive National Security data, including detailed information on every US defense contractor facility, data about which defense facilities both USG and contractors may have visited, and any contacts made with non-US officials and civilians both inside and outside the US, even while on vacation. Ultimately, the potential exists even for the compromise of the personally identifiable information (“PII”) of NATO and non-NATO visits to and from the United States.
To top it off, then they gave the three credit agencies access to this PII so that we could all get meaningless credit reporting for the next three years. And also increase the attack surface for the availability of that information.
Someone had it right – user data is toxic waste, and PII is radioactive. It might be useful, but like Hanford in the 40s, the companies using it haven’t figured out that dealing with keeping it secure is going to be a long-term leaking hazardous waste seeping pond.