Second OPM Data Breach Hit 21.5 Million, Included Fingerprints

This story has been updated with additional information from union officials and lawmakers.

Office of Personnel Management officials said on Thursday 21.5 million individuals were affected by a data breach involving security clearance files. The announcement provided the first significant details about the hack since OPM first revealed the breach June 12. 

OPM will provide a “suite of services” to individuals whose personal information was hacked, which includes nearly everyone that underwent a background investigation or reinvestigation through OPM in 2000 or later (which applies to anyone who submitted Forms SF-86, SF-85 or SF-85P). Individuals who underwent a background investigation prior to 2000 may still be impacted, but OPM said that is “less likely.”

The personal information breached in the hack included details such as Social Security numbers; residency and educational history; employment history; information about immediate family and other personal and business relationships; health, criminal and financial history; and other details, OPM said.

The incident is separate, but related, to the initial hack announced by OPM in May, which affected 4.2 current and former federal employees. The second breach, which specifically targeted individuals that underwent background investigations, such as those applying for security clearances, was detected in late May as OPM was beefing up its systems in response to the first hack. About 3.6 million of those affected by the first hack were also impacted by the second breach. 

Andy Ozment, assistant secretary for cybersecurity and communications at the Homeland Security Department, told reporters on Thursday the forensics investigation into the second breach was "extremely complicated," which is why it took additional time to determine exactly who was impacted. 

OPM said 19.7 million of those impacted applied for a background investigation, while an additional 1.8 million were non-applicants, primarily spouses or co-habitants of applicants. The breached records include findings from interviews conducted by background investigators and 1.1 million of the records included fingerprints.

Notifications will go out to those impacted by the hack “in the coming weeks,” OPM said. Services to those individuals will be provided by a private sector firm and will include full service identity restoration support and victim recovery assistance, identity theft insurance, identity monitoring for minor children, continuing credit monitoring and fraud monitoring services beyond credit files.

The protections will be provided for at least three years at no cost to the individuals, according to OPM. They will also receive “educational materials and guidance” to help protect themselves against potential fraud. OPM said a call center will be opened to help answer questions for those affected by the hack. Archuleta emphasized on the call the services will be offered for "at least" three years -- implying it could be longer -- and said the administration is "looking at what other steps we can take" to help impacted federal workers and contractors. 

Federal employee groups were quick to call OPM's offer inadequate. 

"For these 21.5 million people, a lifetime’s worth of information was exposed," said Richard Thissen, president of the National Active and Retired Federal Employees Association. "They deserve nothing less than a lifetime of protection. Three years is not enough and will not bring peace of mind to those awaiting official notification that they were impacted by this incident."

Also on Thursday, several Democratic senators formally unveiled the Reducing the Effects of the Cyberattack on OPM Victims Emergency Response (RECOVER) Act, which would provide lifetime credit monitoring to everyone affected by the hacks and up to $5 million in identity theft protection. Sens. Barbara Mikulski, Md., Tim Kaine, Va., and Mark Warner, Va., joined Ben Cardin, Md., in introducing the bill. 

Administration officials continued to decline to give any details about who may have been responsible for the hack, though they confirmed the same actor committed both breaches. Asked about the large number of lawmakers calling for her to resign, Archuleta defended her record on cybersecurity and said she will continue in her position to patch up any existing network vulnerabilities. She and other officials highlighted the progress made by agencies across government to improve network security as part of an Office of Management and Budget mandated "30-day sprint," including increasing the use of two-factor authentication.