The Office of Personnel Management disclosed Thursday that 21.5 million people were caught in the sweeping data hack of U.S. government databases leading to the exposure of sensitive information including Social Security numbers and fingerprints.
The revelations forced the resignation of Office and Personnel Management Director Katherine Archuleta on Friday, just one day after the agency published its report.
The number of people exposed in this hack is five times greater than the 4.2 million hit in an earlier Office of Personnel Management data breach discovered in April and includes not just government employees and contractors, but their families and friends as well.
The Department of Homeland Security is working with the FBI to track the perpetrators while U.S. officials have privately connected the attacks to China. The Chinese government has denied involvement.
Steven Bucci, director of The Heritage Foundation’s Allison Center for Foreign Policy Studies, said the breach illustrated a “staggering” lack of understanding within the agency.
“Aggregating that much highly personal data about that many people with high level clearances without state of the art security and encryption was just dumb,” Bucci said. “Either the OPM leadership didn’t care—I hope that is not it—or they are woefully behind the times in comprehending the cyber threats that are out there.”
The Office of Personnel Management deployed a forensic investigation when it discovered in May its internal database storing background checks of current, former and prospective government employees had been hacked. The agency estimated every person given a federal background check in the last 15 years was caught in the breach.
The agency reported hackers stole sensitive information from 19.7 million people who applied for background investigations along with 1.8 million “non-applicants,” including spouses and friends.
The agency also revealed 1.1 million fingerprints were stolen, along with health records, financial history and other private information.
U.S. officials said the hack appears to be the worst in U.S. history because of the scope of information included in the stolen files, The Washington Post reports.
“It is a very big deal from a national security perspective and from a counterintelligence perspective,” FBI Director James Comey said during a meeting with reporters. “It’s a treasure trove of information about everybody who has worked for, tried to work for—or works for—the United States government.”
The Office of Personnel Management said its investigation did not indicate any “misuse” or “dissemination” of the stolen information. The agency will provide identity theft insurance along with credit and fraud monitoring for three years.