The hackers who breached the Office of Personnel Management stolen more than 21 million Social Security numbers, according to new details from the agency.
The OPM hack, first discovered in May, is the largest ever successful cyberattack against the U.S. government. Since the breach was first revealed in early June, the scope of the attack has been growing steadily. It was initially reported to affect four million federal employees, but that number was later bumped to 18 million and now stands at 21.5 million.
More than 19 million of the stolen records included background-check investigation details, and 1.1 million included fingerprint data, according to OPM. The agency also said that everyone who had undergone a background check beginning in 2000 was almost certainly affected.
U.S. authorities haven’t officially named a perpetrator for the attack, but most governmental sources are privately pointing the finger at China.
Michael Daniel, WH cyber advisor, says admin not ready to attribute the OPM hack to a specific actor. (DNI has said main "suspect" China)
— Shane Harris (@shaneharris) July 9, 2015
“We are deeply concerned over the failure of the federal government to adequately protect its personnel computer systems and the devastating impact the recent breaches of these systems may have on national security, as well as on the financial and personal security of millions of current and former federal employees,” David Snell, federal benefits service director of the National Active and Retired Federal Employees Association, said at a Congressional hearing on Wednesday.
Katherine Archuleta, OPM’s director, has resisted calls to resign from many Republicans, and she maintained that stance on Thursday as her agency provided its most detailed accounting to date of the scope of the breach.
In a statement released shortly after OPM’s announcement, the top Democrat on the House Intelligence Committee blasted the agency for failing to properly brief Congress.
“I do not believe OPM was fully candid in its original briefing to the Committee and omitted key information about two distinct hacks and the breadth of the potential compromise,” Rep. Adam Schiff (D-Calif.) said in a statement.
The failures that led to the OPM breach stretch beyond the small personnel office. The Department of Homeland Security, FBI, and even the National Security Agency have all faced cybersecurity vulnerabilities that officials are racing to patch. The government has been rolling out new cyber defenses and will continue to do so over the next year.
OPM is still in the process of notifying the millions of federal employees and family members who were affected by the breach.