The U.S. Office of Personnel Management announced on Thursday that sensitive information including Social Security numbers for 21.5 million people was among the data lost in a breach of its background investigation database.
An investigation into this and a separate smaller breach of an OPM database detected in April – that one involving information on 4.2 million people – concluded they were carried out by the same “actor,” OPM officials said.
There was overlap in the breaches: About 3.6 million people whose data was compromised in the personnel records breach also had records taken in the background check hack, making a total of 22.1 million people affected by the twin cyberattacks, an OPM spokesperson told NBC News.
The new numbers expanding the scope of the attacks come one day after FBI Director James Comey called the hack an “enormous breach” to the U.S. Senate Intelligence Committee, saying “millions and millions” of government records were stolen, including his own.
The investigation into the hacks concluded that the second breach, which targeted background investigation records kept by OPM, included Social Security numbers, information on family members and other contacts, as well as health and criminal records. The data haul also included an estimated 1.1 million fingerprint records.
In total, hackers are thought to have netted records on 19.7 million people who applied for background check investigations with the federal government, and another 1.8 million people including spouses who did not apply for a background check but whose information was included in the forms. Anyone who applied for a background check from 2000 on is likely to have had their information compromised in the breach, OPM said on Thursday.
“I truly understand the impact this has had on our current and former federal employees, our military personnel, and our contractors,” OPM Director Katherine Archuleta told reporters Thursday on a conference call.
Among the forms used in federal background checks is the Standard Form 86, an 127-page document that delves into intimate questions about prior brushes with the law, drug use, psychiatric health, and info on friends and family members. It requires the applicant to put his or her Social Security number on nearly every page of the document.
China was named as “the leading suspect” in the breach last month by Director of National Intelligence James Clapper.
Asked on the call whether China was behind the hacks, Michael Daniel, special assistant to the president and cybersecurity coordinator, responded, “At this point, the investigation into the attribution of this event is still ongoing and we are exploring all the different options that we have.”
He added: “Just because we’re not doing public attribution does not mean we’re not taking steps to deal with the matter.”
Officials did confirm on the call that both attacks were the work of “the same actor” who gained access to the OPM system with a contractor’s username and password.
The breaches have been the subject of numerous hearings on Capitol Hill since they first came to light, with Archuleta facing tough questions from lawmakers who have called for her dismissal and that of OPM CIO Donna Seymour.
“Since at least 2007, OPM leadership has been on notice about the vulnerabilities to its network and cybersecurity policies and practices,” House Oversight Committee Chairman Jason Chaffetz (R-UT) said in a statement on Thursday. “Director Archuleta and Ms. Seymour consciously ignored the warnings and failed to correct these weaknesses. Their negligence has now put the personal and sensitive information of 21.5 million Americans into the hands of our adversaries.”
On Thursday, Archuleta told reporters that she would not be stepping down.
“I am committed to the work that I am doing at OPM,” Archuleta said. “I have trust in the staff that is there, including Donna Seymour.”
In the aftermath of the breaches, OPM suspended the use of its Electronic Questionnaires for Investigations Processing system (e-QIP), taking it offline for a month or more to make security upgrades. Anyone undergoing a background check for secret clearances in the meantime will have to do so using an older, less hackable technology: paper forms.