Erin Kelly

USA TODAY

WASHINGTON — The biggest and most devastating cyber attack against the U.S. government was revealed this month when the Office of Personnel Management announced that hackers had compromised the personal data of millions of current and former federal employees.

Congress has held five hearings in the past two weeks to try to find out just what happened, but the full impact of the massive attack is still under investigation. Here's a look at what we know so far.

Q: How many government employees have had their personal information compromised?

A: This remains one of the biggest unanswered questions. OPM Director Katherine Archuleta said the first hack the agency discovered in April involved a breach of the personnel records of about 4.2 million current and former employees. OPM has notified all those people that their data has been compromised.

However, a second separate, but related, data breach was discovered in June as the first was being investigated. Hackers were able to gain access to records of background check investigations done on current, former and prospective employees who applied for jobs that require a security clearance. Archuleta said OPM and federal investigators are still trying to determine how many people were affected by that attack.

Q: Why has the number of victims been estimated at 18 million in many news reports?

A: Members of Congress said FBI Director James Comey told them, in private briefings, that the number of victims is estimated to be 18 million. FBI officials said at a Senate hearing that that number was based on OPM's own internal memo.

Archuleta said she is not comfortable with that number.

"It is my understanding that the 18 million refers to a preliminary, unverified and approximate number of unique Social Security numbers in the background investigations data," Archuleta told the Senate homeland security committee. "It is not a number that I feel comfortable, at this time, represents the total number of affected individuals."

On Wednesday, House Oversight Committee Chairman Jason Chaffetz raised the possibility that the actual number of people whose data was breached could be as high as 32 million. He based that assertion on OPM's 2016 budget request, which says that the agency is the proprietor of personally identifiable information on 32 million federal employees and retirees.

Q: Have the hackers been identified?

A: Officially, no. Unofficially, yes.

President Obama has not publicly blamed any specific group for the attack. But administration sources have told USA TODAY and other major news outlets that the attack has been linked to Chinese hackers.

Sen. John McCain, R-Ariz., pressed Archuleta on Thursday on why she won't say that publicly. Archuleta said her agency was not the one to determine that and said she would defer to the State Department.

"Even though it's all public knowledge that it was China, you're not ready to tell the committee that you know that it was China that was responsible for the hacking?" McCain asked Archuleta.

However, at a conference that same day, Director of National Intelligence James Clapper did refer to China as "the leading suspect."

Q: How did the hackers get into OPM's systems?

A: Archuleta confirmed in congressional testimony that hackers obtained a credential used by KeyPoint Government Solutions, a Colorado-based contractor that OPM uses to conduct background investigations of applicants for federal jobs that require a security clearance. The hackers used that log-in credential to breach OPM's data, she said.

"I want to be very clear that while the adversary compromised a KeyPoint user credential to gain access to OPM's network, we don't have any evidence that would suggest that KeyPoint as a company was responsible or directly involved in the intrusion," Archuleta told a Senate subcommittee.

KeyPoint CEO Eric Hess told the House oversight committee, "We do not actually know how the employee's credentials were compromised."

Q: Why was OPM vulnerable to a cyber attack?

A: Archuleta has testified extensively about the weaknesses of OPM's aging information technology systems, some of which are 30 years old. She said she made it a top priority to modernize the systems when she took office 18 months ago and has begun to deploy comprehensive new security technologies.

"We were not able to deploy them before these two sophisticated incidents (attacks), and, even if we had been, no single system is immune to these types of attacks," she told the Senate Homeland Security Committee.

However, OPM Inspector General Patrick McFarland said OPM has had a long history of ignoring warnings from his office about weaknesses in its systems.

"We believe this long history of systemic failures to properly manage its information technology infrastructure may have ultimately led to the breaches," McFarland said.

Q: What action does Congress plan to take?

A: The Senate is expected to take up legislation this year that would encourage private companies to share more cyber threat information with the federal government to help thwart hackers. The House has already passed two cybersecurity information-sharing bills, and House leaders are urging the Senate to act.

Senate Homeland Security Chairman Ron Johnson, R-Wis., and Tom Carper of Delaware, the committee's top Democrat, plan to introduce a bill to authorize and improve EINSTEIN, a system run by the Department of Homeland Security to record, detect, and block cyber threats. The bill would speed up the adoption of EINSTEIN 3A - the newest version of the system - across the government. Less than half of the government's civilian agencies are protected by EINSTEIN now, Carper said.

Follow @ErinVKelly on Twitter