Personal information for about 21.5 million current and former federal employees, as well as job applicants and contractors, was stolen when hackers infiltrated the government’s database for background checks, officials said Thursday.
The Office of Personnel Management (OPM) said that 19.7 million people who applied for a background check and 1.8 million non-applicants — mostly spouses or co-habitants — were affected in what is the largest data breach in U.S. government history.
The latest finding is much higher than the 4.2 million figure OPM officials had previously reported. That number only included the first of two separate hacks and didn't include the people affected in the second breach, officials said.
While the stolen information from the first is considered to be less sensitive, such as performance reviews, unencrypted Social Security numbers were exposed as well.
The agency said it was “highly likely” that someone who had a background investigation through their offices as far back as 2000 was affected. People who applied before 2000 were “less likely" to have been affected.
Government officials have attributed the series of hacks to China. However, Michael Daniel, special assistant to the president and cybersecurity coordinator, would not confirm that assessment in a call with reporters Thursday afternoon.
Andy Ozment, a top cybersecurity official with the Department of Homeland Security, said the people behind the attack infiltrated the government network in May 2014 and were present until April 2015.
The OPM first reported the incident to the public in June, though details of the second, larger breach were not made available until Thursday, following an interagency forensic investigation.
According to the OPM, some of the breached records include interviews conducted by background investigators, Social Security Numbers, and about 1.1 million fingerprints. Health, criminal and financial history information were also compromised in the cyber attack.
The agency doesn’t believe the information has been misused or further disseminated.
In light of the cyber attacks lawmakers have criticized the agency’s information technology vulnerabilities.
Reps. Jason Chaffetz and Ted Lieu, both of the House Oversight Committee, have called for members of the OPM's senior leadership to resign, namely the agency's director, Katherine Archuleta, and her chief information officer, Donna Seymour.
But asked by reporters on Thursday if she would step down, Archuleta said she remained “committed to the work that I am doing at OPM."
Archuleta said the OPM would offer a comprehensive suite of credit monitoring and identity theft protections to the individuals affected by the hack for up to three years. An online cybersecurity help center will be established by the agency, and individuals whose information was stolen will begin to be notified in the coming weeks, Archuleta said.
After Thursday's announcement, House Speaker John Boehner also said he had no confidence in the current leadership at OPM and called on President Obama to fire Archuleta.
“Too much trust has been lost, and too much damage has been done,” Boehner said in a statement. “It has taken this administration entirely too long to come to grips with the magnitude of this security breach – a breach that experts agree was entirely foreseeable."
The OPM said it would “take aggressive action” to strengthen its cybersecurity, including implementing "two-factor" authentication for all system users, expanded monitoring, and hiring a new cybersecurity advisor.
Adolfo Flores is a national security correspondent for BuzzFeed News and is based in Los Angeles. He focuses on immigration.
Contact Adolfo Flores at firstname.lastname@example.org.
Hamza Shaban is a technology policy reporter for BuzzFeed News and is based in Washington, DC.
Contact Hamza Shaban at Hamza.Shaban@buzzfeed.com.
Got a confidential tip? Submit it here.