The sensitive information of nearly 22 million Americans was stolen from the Office of Personnel Management (OPM), according to the latest investigation by federal officials.
The investigation concluded with "high confidence" that personal information, including the Social Security numbers of 21.5 million individuals, was stolen from the agency's background investigation databases.
The newest damage assessment by OPM is significantly larger than the initial reports in June, when federal agencies said the hacks compromised the records of as many as 18 million people. A separate but related hack discovered earlier this year compromised the personnel data of 4.2 million people -- a cyber crime that affected not only OPM but also records at Department of the Interior. About 3.6 million people were affected by both crimes.
"This was a challenging investigation," the Department of Homeland Security's Andy Ozment told reporters in a conference call Thursday. Though some in the Obama administration have attributed these hacks to Chinese state actors, officials would not confirm the identity of the hackers. They did, however, say that the separate incidents were perpetrated by "the same actor moving between different networks." The "adversary" responsible for the OPM hack discovered in April had been on the agency's network for eleven months -- from May of 2014 to April of 2015 -- with compromised credentials from an outside contractor.
In addition to Social Security numbers, hackers also stole information about people's financial, personal, and employment histories. The cyber attack also compromised the information of close acquaintances and family members of former, current, and potential federal employees.
Officials at OPM also announced Thursday that they would continue the investigation and implement new protections for those who had been affected by the hack. These include providing a comprehensive suite of monitoring and protection services for the agency's background investigations and establishing a call center specifically to respond to victims of the cyberattack.
Congressmen from both sides of the aisle immediately responded with concern about the news.
House Oversight and Government Reform Committee Chair Jason Chaffetz, R-Utah, called for OPM Director Katherine Archuleta to resign her post after more information was revealed about the hacks.
"Their negligence has now put the personal and sensitive information of 21.5 million Americans into the hands of our adversaries," Chaffetz said in a statement. "Such incompetence is inexcusable."
"I have been deeply disturbed by the information Members of the Intelligence Committee received from OPM since the disclosure of these hacks," House Intelligence Committee Chair Rep. Adam Schiff, D-California, said in a statement. "I do not believe OPM was fully candid in its original briefing to the Committee and omitted key information about two distinct hacks and the breadth of the potential compromise. To the degree OPM has not been fully forthcoming with Congress or has sought to blame others for a lack of its own adequate security, OPM has not inspired confidence in its ability to safeguard our networks and most sensitive databases."
When asked Thursday if Archuleta would resign, the agency head said she would not.
"I am committed to the work I am doing at OPM," Archuleta told reporters. "I have trust in the staff that is there including [OPM Chief Information Officer] Donna Seymour."