The New York Times and the government are reporting 21.5 million, and CNN is reporting 22.1 million. ABC and Reuters have reported 25 million.
In a statement, OPM said hackers stole the Social Security numbers of 21.5 million people, including 19.7 million individuals who applied for a background investigation.
In any case, the figure is much higher than OPM’s original estimate of 4 million and amounts to roughly 7% of the US population.
OPM reports that the types of compromised information may also include Social Security numbers; residency and educational history; employment history; information about immediate family and personal and business acquaintances; and health, criminal, and financial history that would have been part of a background investigation.
ABC notes that “US intelligence and law enforcement officials are particularly concerned over the theft of forms known as SF-86s that current and prospective federal workers, including certain military personnel, and even contractors submit for security clearances.”
The 120-page questionnaire is an exhaustive examination of an applicant’s personal history, including their financial records (including gambling addictions and any outstanding debt), drug use, alcoholism, arrests, psychological and emotional health, foreign travel, foreign contacts, and an extensive list of all relatives.
REUTERS/Kevin LamarqueFBI Director James Comey.
Experts fear the stolen information could be used by the Chinese government to blackmail, exploit, or recruit US intelligence officers, compromising the success and safety of agents operating at home and abroad.
“I’m sure the adversary has my SF-86 now,” FBI Director James Comey said to a Senate panel earlier this week. “My SF-86 lists every place I’ve ever lived since I was 18. Every foreign travel I’ve ever taken. All of my family, [and] their addresses.”
The hackers reportedly acquired these forms, which is “one of the most extensive national security questionnaires that exists,” Michael Borohovski, CEO of Tinfoil Security, told Business Insider last month.
“Security-wise, this may be the worst breach of personally identifying information ever,” he added.
Mark Wilson/Getty ImagesThe Theodore Roosevelt Federal Building that houses the Office of Personnel Management headquarters in Washington, DC. US investigators have said that at least 4 million current and former federal employees might have had their personal information stolen by Chinese hackers.
Hackers who infiltrated OPM had access to the agency’s security-clearance computer system for over a year, The Washington Post reported, giving them ample time to steal as much information as possible from OPM’s database of military and intelligence officials.
“If you underwent a background investigation through OPM in 2000 or afterwards … it is highly likely that you are impacted by the incident involving background investigations,” the OPM stated.
The breach was partly a result of shoddy security practices.
OPM contractors in Argentina and China were given “direct access to every row of data in every database” when they were hired by the Office of Personnel Management (OPM) to manage the personnel records of more than 14 million federal employees.
APOffice of Personnel Management Director Katherine Archuleta testifies on Capitol Hill, June 16, 2015.
The OPM “conducts more than 90% of all federal background investigations, including those required by the Department of Defense and 100 other federal agencies,” Reuters has reported.
Members of the intelligence community, including FBI employees, were also affected by the breach.
As a result, spies who took OPM information will know “who the best targets for espionage are in the United States,” Michael Adams, a computer-security expert with more than two decades of experience in the US Special Operations Command, told The Daily Beast.
The agency also stores the results of polygraph tests, which is “really bad, because the goal of government-administered polygraph tests is to uncover any blackmailable information about its employees before it can be used against them,” Borohovski said. “So it’s really a goldmine of blackmail for intruders.”
REUTERS/Gaung Niu GN/PBA Chinese man walks near a lantern before a Lantern Festival on the outskirts of Beijing.
The massive breach — discovered by network-forensics company CyTech Services while it was doing a product demo of its new software package, CyFIR, for OPM in early June — was “classic espionage” on an unprecedented scale, a senior administration official told The New York Times last month.
Here’s part of the statement from OPM:
While investigating this incident, in early June 2015, OPM discovered that additional information had been compromised: including background investigation records of current, former, and prospective Federal employees and contractors. OPM and the interagency incident response team have concluded with high confidence that sensitive information, including the Social Security Numbers (SSNs) of 21.5 million individuals, was stolen from the background investigation databases. This includes 19.7 million individuals that applied for a background investigation, and 1.8 million non-applicants, primarily spouses or co-habitants of applicants. Some records also include findings from interviews conducted by background investigators and approximately 1.1 million include fingerprints. Usernames and passwords that background investigation applicants used to fill out their background investigation forms were also stolen. Notifications for this incident have not yet begun.
Sent from my Tricorder