The hackers who breached the US Office of Personnel Management accessed a second set of even more highly sensitive data, it was widely reported Friday, in revelations that make the breach one of the biggest thefts of data on federal workers.

Investigators probing the compromise have "a high degree of confidence that OPM systems containing information related to the background investigations of current, former, and prospective federal government employees, and those for whom a federal background investigation was conducted, may have been exfiltrated," Samuel Schumach, a spokesman for the personnel agency, said in a statement to Bloomberg News Friday. The second set of data files likely included highly sensitive information from forms filled out by people applying for jobs that require security clearances.

The 127-page questionnaires ask about criminal and arrest records, mental illnesses, drug and alcohol problems, and financial data for the applicant and often family members, friends and acquaintances. Previously, Bloomberg and other news organizations said such records had been breached, but White House officials declined to confirm the theft.

Bloomberg wrote:

The announcement of a second suspected breach follows revelations that the hack could involve as many as 14 million current and former government workers. The higher total, more than triple the 4 million originally cited by the personnel office, comes from a lawmaker briefed on the investigation who asked not to be identified discussing classified information. Government background investigations can include sensitive information about individuals’ arrest records and personal lives. People seeking security clearances must provide information such as bankruptcy filings and substance-abuse history. The possibility of a second breach was shared by U.S. investigators with relevant federal agencies on June 8, according to the White House. The intrusion into the personnel agency data was first revealed publicly on June 4. White House Press Secretary Josh Earnest said on Friday that the Federal Bureau of Investigation continues to work to determine the scope of the intrusion and the identify of the hackers. He declined to confirm reports that the Chinese government initiated the attacks.

Readers who believe they may be one of the 14 million people potentially affected should strongly consider placing a security freeze on their credit files. KrebsOnSecurity reporter Brian Krebs explains here how to go about doing that. The Federal Trade Commission has also compiled this list of suggestions for current or former federal employee whose personal information may have been exposed.

While the threat facing affected individuals can't be over emphasized, the risk extends well beyond that to include just about any organization employing affected individuals. Given the amount of extremely personal and sensitive details in the hands of the unknown attackers, they are armed with the ability to wage spear phishing campaigns and other types of highly personalized scams on an almost unprecedented level. People who receive e-mails or phone calls seeking passwords or asking files be opened or Web links clicked on should be extra wary, even if the inquiries appear to come from people or organizations they know or regularly communicate with.