OPM Announces More Than 21 Million Affected by Second Data Breach
The federal personnel agency announced Thursday a massive hack.
By Kaveh Waddell and Dustin Volz
July 9, 2015
More than 21 million Social Security numbers were compromised in a breach that affected a database of sensitive information on federal employees held by the Office of Personnel Management, the agency announced Thursday.
That number is in addition to the 4.2 million social security numbers that were compromised in another data breach at OPM that was made public in June.
Of the 21.5 million records that were stolen, 19.7 million belonged to individuals who had undergone background investigation, OPM said. The remaining 1.8 million records belonged to other individuals, mostly applicants' families.
The records that were compromised include detailed, sensitive information about the individuals, including fingerprint data. OPM says 1.1 million compromised files included fingerprints.
Beyond the fingerprints and Social Security numbers, some of the files in the compromised database included "residency and educational history; employment history; information about immediate family and other personal and business acquaintances; health, criminal and financial history; and other details," OPM said.
Some records included "findings from interviews conducted by background investigators," and some included the usernames and passwords that applicants used to fill out investigation forms.
This data breach, which officials have privately linked to China, began in May 2014, according to OPM Director Katherine Archuleta's testimony before Congress. It was not discovered until May 2015.
A security update applied by OPM and the Department of Homeland Security in January 2015 ended the bulk of the data extraction, according to congressional testimony from Andy Ozment, assistant secretary for cybersecurity and communications at DHS, even though the breach would not be discovered for months.
An OPM statement said that individuals who underwent background investigations in or after the year 2000 are "highly likely" to have had their information compromised in the breach. But those who were investigated before 2000 may also have been affected.
News of the second intrusion was first reported in June and was described as a potentially devastating heist of government data, as hackers seized extensive security-clearance information intelligence and military personnel. OPM said at the time that it became aware of the second hack while investigating the smaller breach that affected 4.2 million, which was disclosed earlier in June.
The size of the breach exceeds most of the estimates previously reported in various media outlets, including CNN, which said last month that the FBI believed 18 million people had been affected by the hack.
The personnel agency said Thursday that it has not seen any indication that the stolen information has been "misused" or otherwise disseminated.
On Wednesday, FBI Director James Comey refused to provide a specific number when asked by members of the Senate Intelligence Committee about the size of the breach. Comey did say the hack was "enormous," however, and confirmed that his own data had been compromised.
Several lawmakers in both parties have called for the resignations of Archuleta and Donna Seymour, the chief information officer at OPM, since the data breaches came to light last month. In a sharp statement Thursday after the numbers were revealed, House Oversight Chairman Jason Chaffetz reiterated his belief that the two "need to resign or be removed" from their posts.
"Since at least 2007, OPM leadership has been on notice about the vulnerabilities to its network and cybersecurity policies and practices," the Utah Republican said. "Director Archuleta and Ms. Seymour consciously ignored the warnings and failed to correct these weaknesses. Their negligence has now put the personal and sensitive information of 21.5 million Americans into the hands of our adversaries. Such incompetence is inexcusable. Again, I call upon President Obama to remove Director Archuleta and Ms. Seymour immediately."
Fair Use from: