OPM Announces More Than 21 Million Affected by Second Data Breach
The federal personnel agency announced Thursday a massive hack.
By Kaveh Waddell and Dustin Volz

The Office of Personnel Management Director Katherine Archuleta is sworn in before testifying to the Senate Homeland Security and Governmental Affairs Committee about the recent OPM data breach in the dirksen Senate Office Building on Capitol Hill June 25, 2015 in Washington, D.C.(Chip Somodevilla/Getty Images)

July 9, 2015

More than 21 million Social Security numbers were compromised in a breach that affected a database of sensitive information on federal employees held by the Office of Personnel Management, the agency announced Thursday.


That number is in addition to the 4.2 million social security numbers that were compromised in another data breach at OPM that was made public in June.

Of the 21.5 million records that were stolen, 19.7 million belonged to individuals who had undergone background investigation, OPM said. The remaining 1.8 million records belonged to other individuals, mostly applicants' families.

The records that were compromised include detailed, sensitive information about the individuals, including fingerprint data. OPM says 1.1 million compromised files included fingerprints.

Beyond the fingerprints and Social Security numbers, some of the files in the compromised database included "residency and educational history; employment history; information about immediate family and other personal and business acquaintances; health, criminal and financial history; and other details," OPM said.

Some records included "findings from interviews conducted by background investigators," and some included the usernames and passwords that applicants used to fill out investigation forms. And although separate systems that store health, financial, and payroll information do not appear to have been compromised, the agency says some mental health and financial information is included in the security clearance files that were affected by the hack.

This data breach, which officials have privately linked to China, began in May 2014, according to OPM Director Katherine Archuleta's testimony before Congress. It was not discovered until May 2015.

A security update applied by OPM and the Department of Homeland Security in January 2015 ended the bulk of the data extraction, according to congressional testimony from Andy Ozment, assistant secretary for cybersecurity and communications at DHS, even though the breach would not be discovered for months.

An OPM statement said that individuals who underwent background investigations in or after the year 2000 are "highly likely" to have had their information compromised in the breach. (This includes both new applicants and employees that were subject to a "periodic reinvestigation" during that time.) But those who were investigated before 2000 may also have been affected.

News of the second intrusion was first reported in June and was described as a potentially devastating heist of government data, as hackers seized extensive security-clearance information intelligence and military personnel. OPM said at the time that it became aware of the second hack while investigating the smaller breach that affected 4.2 million, which was disclosed earlier in June.

The size of the breach exceeds most of the estimates previously reported in various media outlets, including CNN, which said last month that the FBI believed 18 million people had been affected by the hack.

The personnel agency said Thursday that it has not seen any indication that the stolen information has been "misused" or otherwise disseminated.

On Wednesday, FBI Director James Comey refused to provide a specific number when asked by members of the Senate Intelligence Committee about the size of the breach. Comey did say the hack was "enormous," however, and confirmed that his own data had been compromised.

Several lawmakers in both parties have called for the resignations of Archuleta and Donna Seymour, the chief information officer at OPM, since the data breaches came to light last month. In a sharp statement Thursday after the numbers were revealed, House Oversight Chairman Jason Chaffetz reiterated his belief that the two "need to resign or be removed" from their posts.

"Since at least 2007, OPM leadership has been on notice about the vulnerabilities to its network and cybersecurity policies and practices," the Utah Republican said. "Director Archuleta and Ms. Seymour consciously ignored the warnings and failed to correct these weaknesses. Their negligence has now put the personal and sensitive information of 21.5 million Americans into the hands of our adversaries. Such incompetence is inexcusable. Again, I call upon President Obama to remove Director Archuleta and Ms. Seymour immediately."

But Archuleta has remained resolute in the face of withering scrutiny. During a Thursday press call, the one-time political director for President Obama's 2012 re-election campaign, said she and her staff should be applauded, not condemned, for their efforts to upgrade the agency's cybersecurity since she took office in November 2013.

"It is because the efforts of OPM and its staff that we've been able to identify the breaches," Archuleta said. When asked directly if she or Seymour would resign, Archuleta replied: "No."

 Co'tor Shas wrote:
This pretty bad. It looks like my dad might have been one of the ones compromised too.

 cincydooley wrote:

 Co'tor Shas wrote:
This pretty bad. It looks like my dad might have been one of the ones compromised too.

fething awesome. How did he find out?

I've had background checks for teaching and through being bonded for most of my adult life....

 whembly wrote:


Could we please, get someone to head the OPM who's experience exceeds "2012 Obama National Compaign Manager"?

 LordofHats wrote:

 whembly wrote:


Could we please, get someone to head the OPM who's experience exceeds "2012 Obama National Compaign Manager"?

Because the government had such a wonderful track record with the internet before Obama, right?

Really, I wonder how many more major hacks can happen (they're coming in what, biweekly now?) before somebody says "guys, I hate to say it, but I don't think Windows Firewall is helping. We might need something stronger."

 whembly wrote:

A) Blame anybody but Obama tactic already?

 LordofHats wrote:

 whembly wrote:

A) Blame anybody but Obama tactic already?

More like the "Why blame Obama for something that's been a glaring problem since the Clinton Administration?" tactic

US Government has always sucked with computers, which in the late 90's could probably be forgiven but come oooooooh, 2004? Probably a lot less understandable at that point

 LordofHats wrote:

 whembly wrote:

A) Blame anybody but Obama tactic already?

More like the "Why blame Obama for something that's been a glaring problem since the Clinton Administration?" tactic

US Government has always sucked with computers, which in the late 90's could probably be forgiven but come oooooooh, 2004? Probably a lot less understandable at that point

JNC wrote:
Seems like this is not really important. I have to wonder if they used the information as bait. What good would the info do? We got it boss, now what?

Steal some juicy stuff already, not impressed.

NSA wants to hire the guys?

US Government has always sucked

 LordofHats wrote:

 whembly wrote:


Could we please, get someone to head the OPM who's experience exceeds "2012 Obama National Compaign Manager"?

Because the government had such a wonderful track record with the internet before Obama, right?

Really, I wonder how many more major hacks can happen (they're coming in what, biweekly now?) before somebody says "guys, I hate to say it, but I don't think Windows Firewall is helping. We might need something stronger."

 jhe90 wrote:
You spend billions on useless projects at times, why not rout some of that money into setting up a decent security system which can be used in various forms across agency's and sectors to provide a high level of security across the board.

Save every department developing there own systems and maybe even reduce costs.

Oh wait that's too sensible.

BREAKING: Embattled OPM Director Katherine Archuleta resigns in wake of revelations about massive hack of govt computer systems

— Julie Davis (@juliehdavis) July 10, 2015

 Jihadin wrote:
Those effected will receive a letter from OPM informing them that their pertinent info was compromised.

 whembly wrote:
But, I'm pretty much at the point where Congress needs to authorize a quasi private/public organization like the Federal Reserve to oversee this nation's IT Security.

 Breotan wrote:

 Jihadin wrote:
Those effected will receive a letter from OPM informing them that their pertinent info was compromised.

Assuming they have correct addresses. I can only imagine such a letter trying to reach me.

 streamdragon wrote:

 whembly wrote:
But, I'm pretty much at the point where Congress needs to authorize a quasi private/public organization like the Federal Reserve to oversee this nation's IT Security.

right, because private and quasi private organizations have never been hacked... ever.

The simple thing is that OPM has been asking for money for nearly a decade to upgrade their systems. Congress wouldn't give them money and in some budgets slashed their funding. What did people thing was going to happen?