More than 21 million Social Security numbers were compromised in a breach that affected a database of sensitive information on federal employees held by the Office of Personnel Management, the agency announced Thursday.
That number is in addition to the 4.2 million social security numbers that were compromised in another data breach at OPM that was made public in June.
Of the 21.5 million records that were stolen, 19.7 million belonged to individuals who had undergone background investigation, OPM said. The remaining 1.8 million records belonged to other individuals, mostly applicants' families.
The records that were compromised include detailed, sensitive information about the individuals, including fingerprint data. OPM says 1.1 million compromised files included fingerprints.
Beyond the fingerprints and Social Security numbers, some of the files in the compromised database included "residency and educational history; employment history; information about immediate family and other personal and business acquaintances; health, criminal and financial history; and other details," OPM said.
Some records included "findings from interviews conducted by background investigators," and some included the usernames and passwords that applicants used to fill out investigation forms. And although separate systems that store health, financial, and payroll information do not appear to have been compromised, the agency says some mental health and financial information is included in the security clearance files that were affected by the hack.
This data breach, which officials have privately linked to China, began in May 2014, according to OPM Director Katherine Archuleta's testimony before Congress. It was not discovered until May 2015.
A security update applied by OPM and the Department of Homeland Security in January 2015 ended the bulk of the data extraction, according to congressional testimony from Andy Ozment, assistant secretary for cybersecurity and communications at DHS, even though the breach would not be discovered for months.
An OPM statement said that individuals who underwent background investigations in or after the year 2000 are "highly likely" to have had their information compromised in the breach. (This includes both new applicants and employees that were subject to a "periodic reinvestigation" during that time.) But those who were investigated before 2000 may also have been affected.
News of the second intrusion was first reported in June and was described as a potentially devastating heist of government data, as hackers seized extensive security-clearance information intelligence and military personnel. OPM said at the time that it became aware of the second hack while investigating the smaller breach that affected 4.2 million, which was disclosed earlier in June.
The size of the breach exceeds most of the estimates previously reported in various media outlets, including CNN, which said last month that the FBI believed 18 million people had been affected by the hack.
The personnel agency said Thursday that it has not seen any indication that the stolen information has been "misused" or otherwise disseminated.
No comments:
Post a Comment