The U.S. Office of Personnel Management announced Thursday that a massive data breach—one that targeted its security clearance system—compromised the sensitive information of 21.5 million people, including social security numbers for current and former federal workers, contractors, friends, and families, the agency said. As many as 19.5 million of those people had applied for security clearances.
In June, the office had disclosed an earlier breach affecting 4.2 million such workers, which included performance reviews as well as social security numbers for federal employees.
The second breach, OPM director Katherine Archuletta told Congress, began in May 2014 and was not discovered until a year later. Two federal worker unions have filed lawsuits against the office so far.
Many U.S. officials believe the breach was the work of Chinese attackers. Although that remains unconfirmed, Director of National Intelligence James Clapper and others have implicated the country.
At a hearing before the Senate Judiciary Committee this week, FBI Director James Comey said that his files were compromised in the hack. He described the breach as "enormous" in size without revealing further details, though in June he had reportedly told Senators in a classified meeting that the hack may have affected 18 million Americans.
On July 4, Archuletta had intimated in a blog post that an updated figure for the size of the breach might be forthcoming this week. "Thanks to the tireless efforts of my team at OPM and our inter-agency partners, we also have made progress in the investigation into the attacks on OPM's background information systems," she wrote. "We hope to be able to share more on the scope of that intrusion next week, and in the coming weeks, we will be working hard to issue notifications to those affected."
Jason Chaffetz, chairman of the house oversight committee, has been vocal in calling for the ouster of Archuletta. He posted a series of tweets about the number of people affected by the breach: