OPM says second hack affected more than 21M Americans

Erin Kelly and David Jackson | USA TODAY

Show Caption Hide Caption U.S. Personnel Office says over 25 million records hacked The U.S. Office of Personnel Management said on Thursday that hackers had stolen sensitive information, including social security numbers, of about 21.5 million people from background investigation databases.

Corrections and clarifications : An earlier version of this story misstated the number of people affected by the hack.

WASHINGTON — The massive hack of background check records at the Office of Personnel Management compromised the data of 21.5 million people — five times more than were affected by an initial breach, the agency announced Thursday.

The revelation brought more calls from Congress for OPM Director Katherine Archuleta to be fired.

"After today's announcement, I have no confidence that the current leadership at OPM is able to take on the enormous task of repairing our national security," said House Speaker John Boehner, R-Ohio. "Too much trust has been lost, and too much damage has been done. President Obama must take a strong stand against incompetence in his administration and instill new leadership at OPM."

When the hack was revealed early last month, OPM officials said personal information from the personnel records of about 4.2 million current and former federal employees had been breached.

That number did not include the victims of a second, related hack into the background check forms of people applying for jobs that required security clearance. OPM officials said Thursday that an interagency investigation of that data breach concluded that sensitive information — including Social Security numbers — was stolen from 21.5 million people.

The victims of that second hack include 19.7 million people who applied for a background investigation, as well as 1.8 million others who were not applicants. The non-applicants were primarily spouses and cohabitants of the applicants, and their personal information was included in the background check forms the applicants were required to complete.

The breach is likely to have affected any federal applicant over the past 15 years, and perhaps longer.

For any individual who underwent a background check since 2000, "it is highly likely that the individual is impacted by this cyber breach," the OPM statement said. "If an individual underwent a background investigation prior to 2000, that individual still may be impacted, but it is less likely."

The statement said there is no information to suggest "any misuse or further dissemination of the information that was stolen from OPM's systems."

Two major federal employee unions sued OPM for failing to protect their personal information.

Thursday's announcement further outraged House Oversight Committee Chairman Jason Chaffetz, who had already been calling for the resignation of OPM Director Katherine Archuleta and Chief Information Officer Donna Seymour.

"As I've said since June 16, after the Oversight Committee held the first hearing on this disastrous data breach, Director Archuleta and CIO Donna Seymour need to resign or be removed," Chaffetz, R-Utah, said Thursday. "Since at least 2007, OPM leadership has been on notice about the vulnerabilities to its network and cyber security policies and practices. Director Archuleta and Ms. Seymour consciously ignored the warnings and failed to correct these weaknesses."





Rep. Adam Schiff of California, the senior Democrat on the House Permanent Select Committee on Intelligence, said he doesn't believe OPM has been completely honest with Congress about the cyberattacks.

"I do not believe OPM was fully candid in its original briefing to the committee and omitted key information about two distinct hacks and the breadth of the potential compromise," Schiff said. "To the degree OPM has not been fully forthcoming with Congress or has sought to blame others for a lack of adequate security, OPM has not inspired confidence in its ability to safeguard our networks and most sensitive databases."



Fellow Democrat Mark Warner, a Virginia senator, called for Archuleta's removal Thursday.

"It is time for her to step down, and I strongly urge the administration to choose new management with proven abilities to address a crisis of this magnitude with an appropriate sense of urgency and accountability," he said.

Sen. Ron Johnson, R-Wis., chairman of the Committee on Homeland Security and Governmental Affairs, also blasted OPM's management.

"Today's announcement shows not only that cyber security on federal agency networks has been grossly inadequate but that the management of the OPM is not up to the task of fixing the problem," Johnson said.

Sen. John McCain, R-Ariz., the chairman of the Armed Services Committee, said "it is time for new leadership at OPM."

"After the Office of Personnel Management initially downplayed the damage of the recent data breach, it is deeply troubling to learn that the extent of the damage is far greater," McCain said.

The FBI and the Department of Homeland Security are investigating the hack, which some administration officials have privately blamed on hackers from China. The Chinese government has denied involvement.

In testimony before key congressional committees, officials of OPM's Office of Inspector General said they had repeatedly warned of cybersecurity weaknesses in the agency's data systems.

Archuleta, who has been at OPM for 18 months, testified that the hacks occurred as she was in the process of trying to modernize the agency's aging systems, some of which are 30 years old.

Lawmakers were largely unmoved by Archuleta's explanations.

"OPM was aware of the persistent issues – including three data breaches in 2014 that should have served as stark warnings that the personal data of millions of federal employees was being targeted by hackers," said Sen. Jerry Moran, R-Kan., chairman of the Commerce Subcommittee for Consumer Protection and Data Security. "Yet, there is little evidence that any action was taken by OPM. This lack of response has put federal workers, the American people, and – most importantly – our national security at risk."

Follow @ErinVKelly and @djusatodayon Twitter