The agency at the center of the likely largest-ever government data breach announced Thursday that more than 22 million people have had their personal information stolen.
The total includes 21.5 million people whose sensitive data was taken in a breach of the the Office of Personnel Management's (OPM) security clearance database, as well as 4.2 million government workers whose personnel files were stolen in an earlier intrusion. But 3.6 million were hit by both hacks, putting the final tally at 22.1 million.
OPM Director Katherine Archuleta, in a conference call with reporters, insisted, "I truly understand the imapct this has on our current and former federal employees, our miltiary personnel and our contractors."
The revelation brings to a close more than a month of speculation over the total size of the breach, which included two separate intrusions at the Office of Personnel Management (OPM).
"The agency and the administration have not even been able to correctly define the scope of the problem," Senate Homeland Security and Governmental Affairs Committee Chairman Ron Johnson (R-Wisc.) said after the total was unveiled. "This will have grave consequences for national security.”
Initially, the OPM said in early June that just 4.2 million current and former federal workers’ personnel files had been taken by cyber thieves. A week later, officials disclosed a separate, more serious, breach of the OPM’s data center that houses background investigation files on those seeking security clearances.
It was believed that at least 18 million people’s information was included in those thorough files, which included details on sexual indiscretions and drug and alcohol abuse.
But OPM Director Katherine Archuleta cautioned lawmakers during a House hearing that the 18 million estimate could rise, because it did not include spouses, relatives and roommates named in the government workers’ background checks.
Investigators on Thursday concluded that 19.7 million security clearance seekers had their sensitive data stolen, plus an additional 1.8 million relations outside the government who had sensitive data included in those files.
The forms included Social Security numbers, past residency information, employment history and criminal and financial records, as well as other personal nuggets gained through in-person interviews conducted as part of background investigations.
Over a million fingerprints were also in the stolen cache, the OPM said.
The second breach encompasses all background investigations conducted spanning back to 2000. The OPM said it is possible, but less likely, that background checks conducted prior to the new millennium were taken.
It's believed that Chinese hackers were seeking the data as part of a broader cyber espionage campaign to create a thorough database on U.S. government workers.
The information contained in personnel files and background investigations can be used to imitate officials, launch future cyberattacks, conduct blackmail or even recruit informants.
Administration officials would not comment Thursday on who they believe is responsible, citing the ongoing investigation.
But Andy Ozment, assistant secretary of the Department of Homeland Security's Office of Cybersecurity and Communication, confirmed that the same adversary was behind the two breaches.
"The adversary broke into [OPM] the network via a compromised credential of a contractor," he told reporters. "Within the OPM network, they were able to move to the Department of Interior network."
Interior housed the database with workers' personnel files.
The final tally has been a serious point of contention for OPM officials and lawmakers. At a series of hearings in recent weeks, policymakers were increasingly frustrated that the agency would not — publicly or privately — give them a final estimate or timeline of when they would know the ultimate total.
The frustration has played a role in the growing calls on Capitol Hill for Archuleta’s resignation.
House Oversight and Government Reform Committee Chairman Jason ChaffetzJason ChaffetzWhen political opportunity knocked, Jason Chaffetz never failed to cash in Chaffetz resting after 'successful' foot surgery Lawmakers reintroduce online sales tax bills MORE (R-Utah), who has been leading the charge for Archuleta's firing, used the latest revelations to renew his call.
Archuleta and OPM officials "consciously ignored the warnings and failed to correct these weaknesses," he said in a statement. "Their negligence has now put the personal and sensitive information of 21.5 million Americans into the hands of our adversaries. Such incompetence is inexcusable."
Sen. Steve Daines (R-Mont.), the first senator to call for Archuleta's firing, agreed.
"It’s unacceptable that OPM’s leaders are more focused on protecting their image than providing the American people with the answers and information they deserve," he said.
Archuleta defended her record to reporters.
"I am committed to the work that I am doing at OPM," she said. "I have trust in the staff."
The embattled agency head cited both her long-term network modernization plan that has been in place since February 2014, as well as the "aggressive" steps she has taken since the breaches were revealed.
Archuleta revealed Thursday that she has directed the Office of the Director of National Intelligence and Office of Management and Budget to conduct a 90-day review of the OPM's security strategy.
"We are working very hard not only at OPM but across the government to sure the cybersecurity of all our systems," Archuleta said.
The 21.5 million put at risk by the larger hack will receive at least three years of complementary credit monitoring services, OPM officials said. Victims of the first breach were only offered 18 months of free services.
Federal workers unions have admonished the OPM for not offering lifetime credit monitoring to the breach victims, even taking the agency to court over the issue.
"If there is any silver lining to this disaster, it is that OPM appears to be getting more serious in protecting those whose information is exposed with the three-year continuous credit monitoring services," said National Federation of Federal Employees (NFFE) National President William Dougan.