(Bloomberg) – Hackers stole Social Security numbers and other personal data for about 22.1 million people in breaches of the U.S. government’s personnel office, the Obama administration said.
The Office of Personnel Management disclosed the results of an investigation into the hacks Thursday. The total includes new data related to the breach of security clearance applications as well as information previously released on the theft of personnel records.
“We live in a world where the cybersecurity threats we are facing are increasingly growing broader,” Michael Daniel, White House cybersecurity coordinator, told reporters in a conference call announcing the findings. “The adversaries are growing more sophisticated.”
The Chinese government is a leading suspect behind the attack, according to Director of National Intelligence James Clapper, some lawmakers and cybersecurity companies that conduct forensics investigations.
Daniel declined to confirm whether China was responsible. However, he indicated the Obama administration already has moved behind the scenes to take action in response to the attack.
“Just because we’re not doing public attribution does not mean we’re not taking steps to deal with the matter,” he said.
Of the 22.1 million people, 21.5 million were affected in the security-clearance breach, including 19.7 million who applied for a background investigation and 1.8 million non-applicants such as spouses of applicants. In a separate breach, the agency said 4.2 million people had their personnel records stolen. Of those, 3.6 million are included in the total released Thursday.
Personal information, including fingerprints and passwords, from U.S. job applicants who went through federal government background checks while applying for security clearances was breached in the intrusions, which OPM discovered in April.
There’s no evidence that the stolen data is being used for criminal or other nefarious purposes, Archuleta said.
The new numbers vastly expand the publicly disclosed scope of the hack, which targeted federal government employees and contractors.
“If an individual underwent a background investigation through OPM in 2000 or afterwards,” OPM said in a release Thursday, “it is highly likely that the individual is impacted by this cyber breach.”
OPM said the types of information compromised includes “Social Security Numbers; residency and educational history; employment history; information about immediate family and other personal and business acquaintances; health, criminal and financial history; and other details.”
Several government employees have expressed frustration in the wake of the hack, accusing OPM of withholding information about its scope and failing to provide adequate protections against identity theft.
U.S. Treasury employees filed suit this week seeking lifetime credit monitoring and calling the attack a violation of the constitutional right to privacy. The American Federation of Government Employees placed a full-page ad in Politico on Thursday, calling for OPM to release more information about the scope of the breach.
“AFGE remains frustrated by the lack of information being provided by OPM on the number of current, retired and prospective employees whose information was stolen,” the labor union said Thursday in a statement. “OPM also has not detailed what information was stolen, leaving millions of employees anxiously waiting for answers.”
The union, which has called for free lifetime credit monitoring for affected individuals, filed a class-action complaint against OPM last month.
OPM has offered credit monitoring and identity theft services to affected employees.
–With assistance from Alex Wayne in Washington.