More than 21 million Social Security numbers were compromised in a breach that affected a database of sensitive information on federal employees held by the Office of Personnel Management, the agency announced Thursday.
This hack is separate from the breach of OPM data that compromised 4.2 million Social Security numbers and was made public in June. Officials have privately linked both intrusions to China.
Of the 21.5 million records that were stolen, 19.7 million belonged to individuals who had undergone background investigations, OPM said. The remaining 1.8 million records belonged to other individuals, mostly applicants' families.
3.6 million people were affected by both breaches, OPM press secretary Sam Schumach said Thursday night, bringing the total number of individuals affected by the pair of OPM hacks to 22.1 million.
The records that were compromised in the breach announced Thursday include detailed, sensitive background information, such as employment history, relatives, addresses, and past drug abuse or emotional disorders. OPM said 1.1 million of the compromised files included fingerprints.
Some of the files in the compromised database also include "residency and educational history; employment history; information about immediate family and other personal and business acquaintances; health, criminal and financial history; and other details," OPM said.
Also included in the database is information from background investigations, as well as usernames and passwords that applicants used to fill out investigation forms. And although separate systems that store health, financial, and payroll information do not appear to have been compromised, the agency says some mental health and financial information is included in the security clearance files that were affected by the hack.
Besides the 21.5 million individuals who had their Social Security information stolen, OPM says others' identifying information—such as their names, addresses, and dates of birth—also were compromised.
OPM will provide credit monitoring and identity-theft protection services to the individuals whose Social Security numbers were stolen, but those individuals will be responsible for disseminating information to other people they may have listed on their background check forms. Those people, whom the government will not contact directly, will not have access to government-bought identity-protection services.
The hack that resulted in the loss of these records began in May 2014, according to OPM Director Katherine Archuleta's testimony before Congress. It was not discovered until May 2015.
A security update applied by OPM and the Homeland Security Department in January ended the bulk of the data extraction, according to congressional testimony from Andy Ozment, assistant secretary for cybersecurity and communications at DHS, even though the breach would not be discovered for months.
OPM said Thursday that individuals who underwent background investigations in or after the year 2000 are "highly likely" to have had their information compromised in the breach. (This includes both new applicants and employees that were subject to a "periodic reinvestigation" during that time.) But those who were investigated before 2000 also may have been affected.
CSID, the contractor that was employed to send out notifications and provide identity protection to the 4.2 million individuals affected by the hack announced in June, is not currently involved in the notification process for this data breach, a spokesman for the company said.
Lawmakers and officials criticized CSID for its handling of the earlier notification process, and for making many employees who called in with questions wait on hold for hours. It was not immediately clear what company will handle the next round of notifications.
News of the second intrusion was first reported in June and was described as a potentially devastating heist of government data, as hackers seized extensive security-clearance information from intelligence and military personnel. OPM said at the time that it became aware of the second hack while investigating the smaller breach.
The size of the second breach exceeds most of the estimates previously reported in various media outlets.
The personnel agency said Thursday that it has not seen any indication that the stolen information has been "misused" or otherwise disseminated.
On Wednesday, FBI Director James Comey refused to provide a specific number when asked by members of the Senate Intelligence Committee about the size of the breach. Comey did say the hack was "enormous," however, and confirmed that his own data had been compromised.
Several lawmakers in both parties have called for the resignations of Archuleta and Donna Seymour, the chief information officer at OPM, since the data breaches came to light last month. A rush of statements Thursday added to that growing chorus building against Archuleta, from House Speaker John Boehner, House Majority Whip Steve Scalise, and Republican Sens. John McCain and Marco Rubio, among others.
Sen. Mark Warner, who sits on the Senate Intelligence Committee and has been involved in the fallout following the OPM hacks, also called for Archuleta's ouster late Thursday.
"The technological and security failures at the Office of Personnel Management predate this director's term, but Director Archuleta's slow and uneven response has not inspired confidence that she is the right person to manage OPM through this crisis," the Virginia Democrat said in a Thursday night statement. "It is time for her to step down, and I strongly urge the administration to choose new management with proven abilities to address a crisis of this magnitude with an appropriate sense of urgency and accountability."
Rep. Barbara Comstock, a Virginia Republican who was notified last month that her personal information had been compromised in the hacks due to her previous roles as a federal employee, chided Archuleta for displaying "complacency, apathy "... and incompetence" in the wake of the breach.
"It goes to the top," Comstock said in an interview with National Journal. "This is a failure of leadership on her part, and if the president does not have the leadership to do this, I think she should step aside."
At least two House Democrats, Reps. Ted Lieu and Jim Langevin, the cochair of the House cybersecurity caucus, also have demanded Archuleta's removal. Lieu and Republican Rep. Steve Russell went a step further Thursday, announcing that they were working on legislation that would move the security-clearance database out of OPM entirely and into the hands of an unspecified agency "that has a better grasp of cyberthreats."
Archuleta, for her part, has remained resolute in the face of withering scrutiny. During a Thursday press call, the onetime political director for President Obama's 2012 reelection campaign, said she and her staff should be applauded, not condemned, for their efforts to upgrade the agency's cybersecurity since she took office in November 2013.
"It is because the efforts of OPM and its staff that we've been able to identify the breaches," Archuleta said. When asked directly if she or Seymour would resign, Archuleta replied: "No."
A White House spokesman reiterated support for the OPM director Thursday, echoing recent statements from White House press secretary Josh Earnest. In mid-June, Earnest said that Obama "has confidence" that Archuleta "is the right person for the job."
This article has been clarified to reflect the total number of individuals affected by either OPM data breach.