OPM Announces More Than 21 Million Affected by Second Data Breach

More than 21 mil­lion So­cial Se­cur­ity num­bers were com­prom­ised in a breach that af­fected a data­base of sens­it­ive in­form­a­tion on fed­er­al em­ploy­ees held by the Of­fice of Per­son­nel Man­age­ment, the agency an­nounced Thursday.

This hack is sep­ar­ate from the breach of OPM data that com­prom­ised 4.2 mil­lion So­cial Se­cur­ity num­bers and was made pub­lic in June. Of­fi­cials have privately linked both in­tru­sions to China.

Of the 21.5 mil­lion re­cords that were stolen, 19.7 mil­lion be­longed to in­di­vidu­als who had un­der­gone back­ground in­vest­ig­a­tions, OPM said. The re­main­ing 1.8 mil­lion re­cords be­longed to oth­er in­di­vidu­als, mostly ap­plic­ants’ fam­il­ies.

3.6 mil­lion people were af­fected by both breaches, OPM press sec­ret­ary Sam Schu­mach said Thursday night, bring­ing the total num­ber of in­di­vidu­als af­fected by the pair of OPM hacks to 22.1 mil­lion.

The re­cords that were com­prom­ised in the breach an­nounced Thursday in­clude de­tailed, sens­it­ive back­ground in­form­a­tion, such as em­ploy­ment his­tory, re­l­at­ives, ad­dresses, and past drug ab­use or emo­tion­al dis­orders. OPM said 1.1 mil­lion of the com­prom­ised files in­cluded fin­ger­prints.

(RE­LATED: Law­maker Pledges Le­gis­la­tion to Bet­ter Pro­tect Hacked Feds as An­oth­er Uni­on Sues OPM)

Some of the files in the com­prom­ised data­base also in­clude “res­id­ency and edu­ca­tion­al his­tory; em­ploy­ment his­tory; in­form­a­tion about im­me­di­ate fam­ily and oth­er per­son­al and busi­ness ac­quaint­ances; health, crim­in­al and fin­an­cial his­tory; and oth­er de­tails,” OPM said.

Also in­cluded in the data­base is in­form­a­tion from back­ground in­vest­ig­a­tions, as well as user­names and pass­words that ap­plic­ants used to fill out in­vest­ig­a­tion forms. And al­though sep­ar­ate sys­tems that store health, fin­an­cial, and payroll in­form­a­tion do not ap­pear to have been com­prom­ised, the agency says some men­tal health and fin­an­cial in­form­a­tion is in­cluded in the se­cur­ity clear­ance files that were af­fected by the hack.

Be­sides the 21.5 mil­lion in­di­vidu­als who had their So­cial Se­cur­ity in­form­a­tion stolen, OPM says oth­ers’ identi­fy­ing in­form­a­tion—such as their names, ad­dresses, and dates of birth—also were com­prom­ised.

OPM will provide cred­it mon­it­or­ing and iden­tity-theft pro­tec­tion ser­vices to the in­di­vidu­als whose So­cial Se­cur­ity num­bers were stolen, but those in­di­vidu­als will be re­spons­ible for dis­sem­in­at­ing in­form­a­tion to oth­er people they may have lis­ted on their back­ground check forms. Those people, whom the gov­ern­ment will not con­tact dir­ectly, will not have ac­cess to gov­ern­ment-bought iden­tity-pro­tec­tion ser­vices.

The hack that res­ul­ted in the loss of these re­cords began in May 2014, ac­cord­ing to OPM Dir­ect­or Kath­er­ine Archu­leta’s testi­mony be­fore Con­gress. It was not dis­covered un­til May 2015.

(RE­LATED: A Timeline of Gov­ern­ment Data Breaches)

A se­cur­ity up­date ap­plied by OPM and the Home­land Se­cur­ity De­part­ment in Janu­ary ended the bulk of the data ex­trac­tion, ac­cord­ing to con­gres­sion­al testi­mony from Andy Oz­ment, as­sist­ant sec­ret­ary for cy­ber­se­cur­ity and com­mu­nic­a­tions at DHS, even though the breach would not be dis­covered for months.

OPM said Thursday that in­di­vidu­als who un­der­went back­ground in­vest­ig­a­tions in or after the year 2000 are “highly likely” to have had their in­form­a­tion com­prom­ised in the breach. (This in­cludes both new ap­plic­ants and em­ploy­ees that were sub­ject to a “peri­od­ic re­in­vest­ig­a­tion” dur­ing that time.) But those who were in­vest­ig­ated be­fore 2000 also may have been af­fected.

CSID, the con­tract­or that was em­ployed to send out no­ti­fic­a­tions and provide iden­tity pro­tec­tion to the 4.2 mil­lion in­di­vidu­als af­fected by the hack an­nounced in June, is not cur­rently in­volved in the no­ti­fic­a­tion pro­cess for this data breach, a spokes­man for the com­pany said.

Law­makers and of­fi­cials cri­ti­cized CSID for its hand­ling of the earli­er no­ti­fic­a­tion pro­cess, and for mak­ing many em­ploy­ees who called in with ques­tions wait on hold for hours. It was not im­me­di­ately clear what com­pany will handle the next round of no­ti­fic­a­tions.

News of the second in­tru­sion was first re­por­ted in June and was de­scribed as a po­ten­tially dev­ast­at­ing heist of gov­ern­ment data, as hack­ers seized ex­tens­ive se­cur­ity-clear­ance in­form­a­tion from in­tel­li­gence and mil­it­ary per­son­nel. OPM said at the time that it be­came aware of the second hack while in­vest­ig­at­ing the smal­ler breach.

The size of the second breach ex­ceeds most of the es­tim­ates pre­vi­ously re­por­ted in vari­ous me­dia out­lets.

The per­son­nel agency said Thursday that it has not seen any in­dic­a­tion that the stolen in­form­a­tion has been “mis­used” or oth­er­wise dis­sem­in­ated.

(RE­LATED: Wash­ing­ton Can’t Fix Com­puter Glitches)

On Wed­nes­day, FBI Dir­ect­or James Comey re­fused to provide a spe­cif­ic num­ber when asked by mem­bers of the Sen­ate In­tel­li­gence Com­mit­tee about the size of the breach. Comey did say the hack was “enorm­ous,” however, and con­firmed that his own data had been com­prom­ised.

Sev­er­al law­makers in both parties have called for the resig­na­tions of Archu­leta and Donna Sey­mour, the chief in­form­a­tion of­ficer at OPM, since the data breaches came to light last month. A rush of state­ments Thursday ad­ded to that grow­ing chor­us build­ing against Archu­leta, from House Speak­er John Boehner, House Ma­jor­ity Whip Steve Scal­ise, and Re­pub­lic­an Sens. John Mc­Cain and Marco Ru­bio, among oth­ers.

Sen. Mark Warner, who sits on the Sen­ate In­tel­li­gence Com­mit­tee and has been in­volved in the fal­lout fol­low­ing the OPM hacks, also called for Archu­leta’s ouster late Thursday.

“The tech­no­lo­gic­al and se­cur­ity fail­ures at the Of­fice of Per­son­nel Man­age­ment pred­ate this dir­ect­or’s term, but Dir­ect­or Archu­leta’s slow and un­even re­sponse has not in­spired con­fid­ence that she is the right per­son to man­age OPM through this crisis,” the Vir­gin­ia Demo­crat said in a Thursday night state­ment. “It is time for her to step down, and I strongly urge the ad­min­is­tra­tion to choose new man­age­ment with proven abil­it­ies to ad­dress a crisis of this mag­nitude with an ap­pro­pri­ate sense of ur­gency and ac­count­ab­il­ity.”

Rep. Bar­bara Com­stock, a Vir­gin­ia Re­pub­lic­an who was no­ti­fied last month that her per­son­al in­form­a­tion had been com­prom­ised in the hacks due to her pre­vi­ous roles as a fed­er­al em­ploy­ee, chided Archu­leta for dis­play­ing “com­pla­cency, apathy “… and in­com­pet­ence” in the wake of the breach.

“It goes to the top,” Com­stock said in an in­ter­view with Na­tion­al Journ­al. “This is a fail­ure of lead­er­ship on her part, and if the pres­id­ent does not have the lead­er­ship to do this, I think she should step aside.”

At least two House Demo­crats, Reps. Ted Lieu and Jim Langev­in, the co­chair of the House cy­ber­se­cur­ity caucus, also have de­man­ded Archu­leta’s re­mov­al. Lieu and Re­pub­lic­an Rep. Steve Rus­sell went a step fur­ther Thursday, an­noun­cing that they were work­ing on le­gis­la­tion that would move the se­cur­ity-clear­ance data­base out of OPM en­tirely and in­to the hands of an un­spe­cified agency “that has a bet­ter grasp of cy­ber­threats.”

Archu­leta, for her part, has re­mained res­ol­ute in the face of with­er­ing scru­tiny. Dur­ing a Thursday press call, the one­time polit­ic­al dir­ect­or for Pres­id­ent Obama’s 2012 reelec­tion cam­paign, said she and her staff should be ap­plauded, not con­demned, for their ef­forts to up­grade the agency’s cy­ber­se­cur­ity since she took of­fice in Novem­ber 2013.

“It is be­cause the ef­forts of OPM and its staff that we’ve been able to identi­fy the breaches,” Archu­leta said. When asked dir­ectly if she or Sey­mour would resign, Archu­leta replied: “No.”

A White House spokes­man re­it­er­ated sup­port for the OPM dir­ect­or Thursday, echo­ing re­cent state­ments from White House press sec­ret­ary Josh Earn­est. In mid-June, Earn­est said that Obama “has con­fid­ence” that Archu­leta “is the right per­son for the job.”

This art­icle has been cla­ri­fied to re­flect the total num­ber of in­di­vidu­als af­fected by either OPM data breach.