Second OPM hack puts 21.5 million people at risk

Reuters / James Lawler Duggan
A second data breach at the US Office of Personnel Management has affected 21.5 million people, with the hackers stealing sensitive information such as Social Security numbers and putting them at risk of identity theft, the agency announced.

Notably, the agency said that this incident is “separate but related” to the one that saw 4.2 million former and current government employees personnel data compromised.

Of the 21.5 million people whose information was stolen, 19.7 million were individuals who had submitted to federal background checks, which are needed in order to gain security clearances. The other 1.8 million people were non-applicants, such as family members of those who were being checked, OPM stated.

OPM said it “determined that the types of information in these records include identification details such as Social Security Numbers; residency and educational history; employment history; information about immediate family and other personal and business acquaintances; health, criminal and financial history” and more.

Some 1.1 million records included fingerprint records. OPM added that hackers also got away with usernames and passwords that individuals used to submit their background investigation forms. Not just current federal employees were affected, either, but also former and prospective ones.

Meanwhile, OPM says that so far there is “no evidence” showing that separate systems used to store information about health, financial, payroll and retirement records were affected by the breach.

The department said that it will also work with other agencies to boost identity theft monitoring, including by providing identity theft insurance, credit and fraud monitoring, and more.

Previous reports have quoted unnamed US officials blaming China for the attack, but the White House declined to go on the record on Thursday.

"At this point the investigation into the attribution of this event is still ongoing and we are exploring all of the different options that we have,” Michael Daniel of the National Security Council said to Reuters.

The hack has turned out to much more extensive than was previously believed, with compromised information dating back about 15 years. OPM said that anyone who underwent a background investigation since 2000 is “highly likely” to have had their records stolen.

READ MORE: OPM head blames old security, lax practices for cybersecurity breaches

In response, OPM said it “continues to take aggressive action to strengthen its broader cyber defenses and information technology (IT) systems,” partnering with the Department of Defense, Homeland Security, the FBI and more.

Some high-ranking lawmakers aren’t buying that explanation, though. After OPM’s announcement, House of Representatives Speaker John Boehner (R-Ohio) said that President Barack Obama should remove the agency’s leadership from their positions.

"After today's announcement, I have no confidence that the current leadership at OPM is able to take on the enormous task of repairing our national security," he said in a statement.

The department was also criticized by House Oversight Committee Chairman Jason Chaffetz (R-Utah).

"Since at least 2007, OPM leadership has been on notice about the vulnerabilities to its network and cybersecurity policies and practices," he said in a statement to NBC News. “Director Archuleta and Ms. Seymour consciously ignored the warnings and failed to correct these weaknesses. Their negligence has now put the personal and sensitive information of 21.5 million Americans into the hands of our adversaries."

On Twitter, Rep. Adam Schiff of the House Intelligence Committee said that he was “deeply disturbed” by the information disclosed by OPM and questioned whether the agency was being fully honest with lawmakers about the breaches.