Hackers swiped Social Security numbers from 21.5 million people — as well as fingerprint records and other information from background check investigations — in the massive breach earlier this year of federal personnel files, the government acknowledged Thursday.
The Office of Personnel Management included the findings in a statement Thursday on the investigation into a pair of major hacks believed carried out by China.
“The team has now concluded with high confidence that sensitive information, including the Social Security Numbers (SSNs) of 21.5 million individuals, was stolen from the background investigation databases,” the agency said of the second breach, which affected background investigation files.
OPM said it is “highly likely” anyone who underwent a background investigation through the agency since 2000 has been affected. The 21.5 million number mostly includes those who applied for one, but also 1.8 million others, “predominantly spouses or co-habitants of applicants.”
OPM said these records include “findings from interviews conducted by background investigators and approximately 1.1 million include fingerprints.” The agency said they have no information at this point to suggest “any misuse or further dissemination of the information that was stolen from OPM’s systems.”
Despite agency pledges to help those affected with credit monitoring and other assistance, the latest numbers are sure to deepen concerns about the risks those affected face.
The OPM statement Thursday pertained to a second breach, discovered in May — separate from one discovered in April which affected more than 4 million people.
The larger breach impacted background investigation records of current, former and prospective federal workers and contractors. OPM acknowledged a wide range of information is potentially at risk:
“OPM has determined that the types of information in these records include identification details such as Social Security Numbers; residency and educational history; employment history; information about immediate family and other personal and business acquaintances; health, criminal and financial history; and other details. Some records also include findings from interviews conducted by background investigators and fingerprints. Usernames and passwords that background investigation applicants used to fill out their background investigation forms were also stolen.”
The number affected by this breach is higher than the 14 million figure that investigators gave reporters last month. They said the government was increasingly confident that China’s government, and not criminal hackers, was responsible for the extraordinary theft of personal information.
China has publicly denied involvement in the break-in.
A former senior intelligence official also told Fox News that the attack is not an isolated incident, but part of a broader campaign by China to build a massive database that can be used to earmark and index the intelligence for future use. This information is being aggregated, and the level of organization points to backing of Chinese military units.
The numbers are so high because a high-level security clearance requires a review every five years. Each time, the individual must supply three new references — meaning a single official could easily have personal information for over a dozen people in the system.
The extent of, and response to, the breach has already led to calls for the firing of top officials at OPM.
House Oversight and Government Reform Committee Chairman Jason Chaffetz, along with 17 other Republican lawmakers, last month called on President Obama to fire Director Katherine Archuleta and Chief Information Officer Donna Seymour
“Simply put, the recent breach was entirely foreseeable, and Director Archuleta and CIO Donna Seymour failed to take steps to prevent it from happening despite repeated warnings,” they said in a letter.