The hack of the Office of Personnel Management, the largest ever breach of federal employee information, may have been four times larger than the government originally acknowledged, CNN reported Tuesday.
Although officials initially announced that the breach had impacted around 4.2 million federal workers, an internal memo circulated the day of the attack almost three weeks ago stated that around 18 million people may have been affected, including individuals who applied for positions with the government but were not hired, the Hill reported.
This information was not made public because it was based on “very raw numbers”, an unnamed source told ABC news. The same source said that investigators are taking “many forensic steps” to determine exactly how many people had their personal data stolen.
While OPM officials have not acknowledged that the breach has affected more than the initially indicated 4.2 million people, they did reveal that a second breach compromised the security clearance background checks of millions of military and intelligence community personnel.
It was also revealed that hackers had access to the OPM system for a year before they were discovered, stealing information on federal workers, government contractors, prospective government employees, and all friends, family, and acquaintances named for background checks.
At a congressional hearing earlier this month, OPM officials testified about their plans to improve digital defenses in the wake of the hack. The officials came under fire for what some lawmakers called their negligence, the Monitor’s Malena Carollo reported.
Meanwhile, government officials say it has been difficult to pinpoint exactly how many people were affected by the OPM hack.
“Coming up with a hard-and-fast number” for those impacted by the compromise of other OPM systems has been “really hard,” largely because much of the digital trail was erased by the time authorities detected the intrusions, a top Homeland Security official said last week.
Experts say that the kind of data stolen can give hackers the ability to commit identity fraud and construct sophisticated e-mail scams, leading to even more damaging cyber attacks seeking higher value information, the Monitor reported.