The U.S. Office of Personnel Management announced on Thursday that sensitive information including Social Security numbers for 21.5 million people was among the data stolen in a hack of its computer networks.
An investigation determined that this hack and a separate, smaller breach of an OPM database detected in April — that one involving information on 4.2 million people — were carried out by the same “actor” or "adversary," OPM officials said.
There was overlap in the breaches: About 3.6 million people whose data were compromised in the smaller personnel records breach also had records taken in the larger background check hack, making a total of 22.1 million people — roughly 1 of every 15 Americans — affected by the twin cyberattacks, according to OPM officials.
The new numbers come one day after FBI Director James Comey, during testimony before the Senate Intelligence Committee, called the OPM hack an "enormous breach," saying "millions and millions" of government records were stolen, including his own.
Officials have concluded that the larger breach, which targeted background investigation records kept by OPM, included Social Security numbers, information on family members and other contacts, as well as health and criminal records. The data haul also included an estimated 1.1 million fingerprint records.
In total, hackers are thought to have netted records on 19.7 million people who applied for background check investigations with the federal government, and another 1.8 million people including spouses who did not apply for a background check but whose information was included in the forms. Anyone who applied for a background check from 2000 on is likely to have had their information compromised, OPM said.
"I truly understand the impact this has had on our current and former federal employees, our military personnel, and our contractors," OPM Director Katherine Archuleta told reporters Thursday on a conference call.
Among the forms used in federal background checks is the Standard Form 86, an 127-page document that delves into intimate questions about prior brushes with the law, drug use, psychiatric health, and info on friends and family members. It requires the applicant to put his or her Social Security number on nearly every page of the document.
China was named as "the leading suspect" in the breach last month by Director of National Intelligence James Clapper.
Asked on the call whether China was behind the hacks, Michael Daniel, special assistant to the president and cybersecurity coordinator, responded, “At this point, the investigation into the attribution of this event is still ongoing and we are exploring all the different options that we have.”
He quickly added: “Just because we’re not doing public attribution does not mean we’re not taking steps to deal with the matter.”
Officials did confirm on the call that both attacks were the work of "the same actor" who gained access to the OPM system probably starting in May or June of 2014 with a contractor's stolen username and password. The smaller hack of an OPM database hosted in the Department of Interior was detected in April, said Andy Ozment, assistant secretary of Homeland Security's Office of Cybersecurity and Communications. Tracing that hack turned up evidence of the wider background information breach, he said.
Archuleta: I Am Not Resigning
The breaches have been the subject of numerous hearings on Capitol Hill, with Archuleta facing tough questions from lawmakers who have called for her dismissal and that of OPM CIO Donna Seymour.
House Speaker John Boehner, R-Ohio, on Thursday joined the chorus calling for Archuleta's resignation. "After today’s announcement, I have no confidence that the current leadership at OPM is able to take on the enormous task of repairing our national security. Too much trust has been lost, and too much damage has been done," Boehner said in a statement.
Sen. Mark R. Warner, D-Va., Sen. Steve Daines, R-Mont., and Rep. Jason Chaffetz, R-Utah, also issued statements Thursday saying Archuleta must go.
On Thursday's teleconference with reporters, Archuleta said she would not be stepping down. "I am committed to the work that I am doing at OPM," she said. "I have trust in the staff that is there, including Donna Seymour."
Archuleta said there's been no evidence to date that any of the stolen information has been misused.
In the aftermath of the breaches, OPM suspended the use of its Electronic Questionnaires for Investigations Processing system (e-QIP), taking it offline for a month or more to make security upgrades. Anyone undergoing a background check for secret clearances in the meantime will have to do so using an older, less hackable technology: paper forms.