Sources at other government agencies confirmed to ZDNet that more than 10 million personnel records were stolen.
FBI Director James Comey reportedly gave the 18 million estimate in a closed-door Senate briefing not long after the breach. In addition to current and former employees, it appears the records of people who had applied for government jobs were also revealed.
OPM Director Katherine Archuleta has since admitted that up to 18 million unique Social Security numbers were stolen as part of the cyberattack, though she cautioned that the numbers were unverified and preliminary. She made this statement in testimony to the House Oversight Committee.
The revelation does not come as much of a surprise.
J. David Cox, president of the American Federal of Government Employees (AFGE), which represents more than 670,000 federal employees, claimed that the hack was significantly worse than what the Obama administration first claimed.
Cox claimed "all personnel data for every federal employee, every federal retiree, and up to one million federal employees" was stolen. At the time, Cox also said Social Security numbers had been stolen in an unencrypted format, which he described as "absolutely indefensible and outrageous."
Since then, it's also been shown that the OPM badly mishandled its first efforts to protect employees identity and credit history. The OPM and its contractor, CSID, sent e-mails to staffers that made it possible for hackers to launch phishing attacks on them.
That said, as this story continues to unwind, the news only looks worse and worse both for how the OPM handled its internal security and for the federal employees whose records have been revealed.
Neither the FBI nor the OPM confirmed at the time of the original report that 18 million records were revealed. An FBI representative said, "As this remains an ongoing investigation, we are unable to provide any details on this matter at this time.
- Phishing e-mail delays OPM hack remediation efforts
- OPM breach: We get exactly the IT security we're willing to pay for
- Feds' cyber security woes can't all be blamed on legacy systems
- After OPM breach, Snowden and Manning are just the beginning
- Hackers stole personal data on every US federal employee
- As federal agency reels from massive data breach, Chinese hackers blamed