U.S. Office of Personnel Management Director Katherine Archuleta testifies Tuesday before the Senate Appropriations Committee concerning a recently revealed data breach affecting millions of federal employees' personal data. Credit: Jonathan Ernst/Reuters
Investigators have tallied up the number of records stolen in an attack on the U.S. Office of Personnel Management (OPM), and it's bigger than anyone thought.
The agency has concluded "with high confidence" that hackers got away with sensitive information including Social Security numbers on 21.5 million people -- almost everyone who underwent a background security investigation for a government job through OPM since 2000.
The majority of records, some 19.7 million, were for background investigation applicants while an additional 1.8 million were from nonapplicants -- friends and family of applicants who would also be investigated as part of the process.
Hackers also got away with 1.1 million fingerprints, the agency said.
OPM handles the background security checks for the vast majority of government workers, and contractors and prospective employees are asked to provide detailed personal information that sometimes includes recent histories of drug abuse, legal problems, financial problems and run-ins with law enforcement.
As such, the information stolen by the still-unidentified hackers will be chilling to anyone affected: also included is residency and educational history; employment history; information about immediate family and other personal and business acquaintances; health, criminal and financial history; and other details.
Some of the records stolen also included findings from interviews conducted by investigators. The usernames and passwords used by applicants were also stolen, OPM said.
However, OPM said that some of the most personal information it holds -- on financial and mental health history of applicants -- does not appear to have been stolen.
"There is no evidence that separate systems that store information regarding the health, financial, payroll and retirement records of federal personnel were impacted by this incident," it said.
The details come from an inter-agency investigation that was conducted by OPM when it learned about the hack. The agency uncovered the data breach earlier this year as it worked to upgrade its computer security system.
The hack is the second major attack on OPM's systems discovered as part of its security upgrade. A previous one, uncovered in April 2015, involved the theft of personnel data on 4.2 million current and former federal employees.
In reaction to the news, Representative Ted Lieu, a California Democrat, and Representative Steve Russell, an Oklahoma Republican, have started a push to move background checks out of OPM.
"The security clearance system was previously housed at the Department of Defense," Lieu said in a statement. "In hindsight, it was a mistake to move the security clearance system to OPM in 2004. We need to correct that mistake."
Sign up for Computerworld eNewsletters.