The massive hack that struck the US Office of Personnel Management affected some 21.5 million people, all of them people who had information stolen about them from a backgrounds investigation database used for evaluating people who sought classified clearances from the government.
The new figure was released today in an advisory published by OPM.
"The team has now concluded with high confidence that sensitive information, including the Social Security Numbers (SSNs) of 21.5 million individuals, was stolen from the background investigation databases," OPM wrote in the statement. "This includes 19.7 million individuals that applied for a background investigation, and 1.8 million non-applicants, predominantly spouses or co-habitants of applicants."
The stolen information includes about 1.1 million fingerprints as well as findings that investigators obtained from interviews conducted with neighbors, friends and family members for background checks. Such information can be highly sensitive since it can include knowledge about the drug and criminal history of someone undergoing a background check as well as their sexual orientation and relationships.
Those affected include anyone who applied for a security clearance in 2000 or later and who underwent a background investigation.
The number of affected victims is much higher than previously disclosed. In June, after the hack was first publicly acknowledged, the government said the breach exposed the personal information of approximately four million people---and the information stolen only included data such as Social Security numbers, birth dates and addresses of current and former federal workers. But this was when the government believed the only databases hit were ones involving employment records of current and former federal workers.
It later was revealed that the hackers, who are believed to be from China, also accessed another database used for conducting background investigations for security clearances.
In total, OPM now says that 21.5 million were affected by the breach of the background investigations database, and of these, about 3.6 million were also affected by the personnel records breach that had been disclosed back in June. And additional 600,000 were affected only by the breach of the personnel records database.
The background investigations database is the most concerning, however, since it included so-called SF-86 forms, documents used for conducting background checks for worker security clearances. The forms can contain a wealth of sensitive data not only about workers seeking security clearance, but also about their friends, spouses and other family members.
The 127-page SF-86 forms include financial information, detailed employment histories---with reasons for past terminations included---as well as psychological records. They can also include potentially sensitive information about the applicant’s interactions with foreign nationals---information that could be used against those nationals in their own country.
Federal background checks are meant to suss out information that might be used by foreign enemies to blackmail a government staffer into turning over classified information. Diplomats and other workers with access to classified information are required---depending on their job---to provide a list of foreign contacts.
There is concern that if the Chinese government got hold of lists containing the names of Chinese nationals who had been in touch with US government workers, this could be used to blackmail or punish them if they had been secretive about the contact.
OPM, in its advisory, announced that it had set up a call center and web site to respond to questions by those who may have been affected. It has also set up ID theft monitoring services for people caught in the breach. This kind of monitoring, however, can only help those whose information might be used by criminals to open false lines of credit and engage in other kinds of identity theft. They provide no assistance to people who might be harmed by other personal information that was stolen in the breach.
Update 6pm EST: To correct the total number of victims affected by the breach.
