Hackers stole Social Security numbers and other personal data for about 22.1 million people in breaches of the U.S. government’s personnel office, the Obama administration said.
The total includes new data related to the breach of security clearance applications as well as information previously released on the theft of personnel records, the Office of Personnel Management said Thursday.
“We live in a world where the cybersecurity threats we are facing are increasingly growing broader,” Michael Daniel, White House cybersecurity coordinator, told reporters in a conference call announcing the findings. “The adversaries are growing more sophisticated.”
On Capitol Hill, lawmakers said OPM’s director should be replaced. House Republican leaders -- Speaker John Boehner of Ohio, Majority Leader Kevin McCarthy of California and Majority Whip Steve Scalise of Louisiana -- issued statements calling for President Barack Obama to fire OPM Director Katherine Archuleta. In the Senate, Democrat Mark Warner of Virginia and Republican John McCain of Arizona, also called for a new director.
“Too much trust has been lost, and too much damage has been done,” Boehner said in a statement.
The Chinese government is a leading suspect behind the attack, according to Director of National Intelligence James Clapper, some lawmakers and cybersecurity companies that conduct forensics investigations.
Daniel declined to say whether China is responsible. However, he indicated the Obama administration already has moved behind the scenes to act in response to the attack.
“Just because we’re not doing public attribution does not mean we’re not taking steps to deal with the matter,” he said.
Of the 22.1 million people, 21.5 million were affected in the security-clearance breach, including 19.7 million who applied for a background investigation and 1.8 million non-applicants such as spouses of applicants. In a separate breach, the agency said 4.2 million people had their personnel records stolen. Of those, 3.6 million are included in the total released Thursday.
Personal information, including fingerprints and passwords, from U.S. job applicants who went through federal government background checks while applying for security clearances was breached in the intrusions, which OPM discovered in April.
There’s no evidence that the stolen data is being used for criminal or other nefarious purposes, Archuleta said.
The new numbers vastly expand the publicly disclosed scope of the hack, which targeted federal government employees and contractors.
“If an individual underwent a background investigation through OPM in 2000 or afterwards,” OPM said in a release Thursday, “it is highly likely that the individual is impacted by this cyber breach.”
OPM said the types of information compromised includes “Social Security numbers; residency and educational history; employment history; information about immediate family and other personal and business acquaintances; health, criminal and financial history; and other details.”
Several government employees expressed frustration after the hack, accusing OPM of withholding information about its scope and failing to provide adequate protections against identity theft.
U.S. Treasury employees filed suit this week seeking lifetime credit monitoring and calling the attack a violation of the constitutional right to privacy. The American Federation of Government Employees, which filed a class-action complaint against OPM last month, placed a full-page ad in Politico on Thursday, calling for OPM to release more information about the scope of the breach.
“AFGE remains frustrated by the lack of information being provided by OPM on the number of current, retired and prospective employees whose information was stolen,” the labor union said Thursday in a statement. “OPM also has not detailed what information was stolen, leaving millions of employees anxiously waiting for answers.”
OPM has offered credit monitoring and identity theft services to affected employees.