Biggest breach in US history? OPM hack hit 21 million people, officials say

Data breaches at the US government's Office of Personnel Management in June may affect more than 21 million people, far more than previously estimated. 

Susan Walsh/AP Photo/File
Office of Personnel Management (OPM) Director Katherine Archuleta testifies in Washington, D.C. on June 25, 2015.

Hackers stole Social Security numbers, health histories and other highly sensitive data from more than 21 million people, the Obama administration said Thursday, acknowledging that the breach of U.S. government computer systems was far more severe than previously disclosed.

The scope of the data breach – believed to be the biggest in U.S. history – has grown dramatically since the government first disclosed earlier this year that hackers had gotten into the Office of Personnel Management's personnel database and stolen records for about 4.2 million people. Since then, the Obama administration has acknowledged a second, related breach of the systems housing private data that individuals submit during background investigations to obtain security clearances.

That second attack affected more than 19 million people who applied for clearances, as well as nearly 2 million of their spouses, housemates and others who never applied for security clearances, the administration said. Among the data the hackers stole: criminal, financial, health, employment and residency histories, as well as information about their families and acquaintances.

The new revelations drew indignation from members of Congress who have said the administration has not done enough to protect personal data in their systems, as well as calls for OPM Director Katherine Archuleta and her top deputies to resign. House Oversight and Government Reform Committee Chairman Jason Chaffetz, a Utah Republican, said Archuleta and her aides had "consciously ignored the warnings and failed to correct these weaknesses."

"Such incompetence is inexcusable," Chaffetz said in a statement.

House Republican leaders — Speaker John Boehner, Majority Leader Kevin McCarthy and Whip Steve Scalise — also called for Archuleta's resignation and said President Barack Obama must "take a strong stand against incompetence."

Some Democrats weighed in against Archuleta as well. Virginia Sen. Mark Warner said, "It is time for her to step down, and I strongly urge the administration to choose new management with proven abilities to address a crisis of this magnitude with an appropriate sense of urgency and accountability."

Yet Archuleta insisted she would not step down. "I am committed to the work that I am doing," she said in a conference call with reporters.

Archuleta said the hackers also obtained user names and passwords that prospective employees used to fill out their background investigation forms, as well as the contents of interviews conducted as part of those investigations. Yet the government insisted there were no indications that the hackers have used the data they stole.

Still, the government declined to say who was behind the attack.

Numerous U.S. lawmakers, including Senate Democratic leader Harry Reid, have said China was behind the attack. But Michael Daniel, Obama's cybersecurity coordinator, said the government wasn't yet ready to say who was responsible.

"Just because we're not doing public attribution does not mean that we're not taking steps to deal with the matter," Daniel told reporters.

While officials would not point the finger at China, they acknowledged that the same party was responsible for both of the breaches, which took place in 2014 and early 2015. Investigators previously told The Associated Press that the U.S. government was increasingly confident that China's government, and not criminal hackers, was responsible for the extraordinary theft of personal information.

China has publicly denied involvement in the break-in.

The administration said it has stepped up its cybersecurity efforts by proposing new legislation, urging private industry to share more information about attacks and examining how the government conducts sensitive background investigations.

"Each and every one of us at OPM is committed to protecting the safety and the security of the info that is placed in our trust," Archuleta said. In early June, government employees received notice that OPM would offer credit-monitoring services and identity-theft insurance to those affected.

Meanwhile, the White House waited about a month before telling the public that hackers had stolen the personal information of millions of people associated with the government, people directly involved with the investigation told the AP last month.

FBI Director James Comey, in a briefing with reporters Thursday, described the scope of the OPM breach as "huge" and called it "a very big deal from a national-security perspective and a counterintelligence perspective."

"It's a treasure trove of information about everybody who has worked for, tried to work for, or works for the United States government," he said. 

Associated Press writers Eric Tucker and Ted Bridis contributed to this report.

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.