After second hack, OPM confirms more than 22 million affected

Biometric data and social security information was taken, the federal vetting agency confirmed.
Written by Zack Whittaker, Contributor
(Image: stock image)

The federal agency in charge of vetting government workers for security clearance has been hit by a second breach, leading to the theft of more than 21 million individuals' records.

The figure confirmed Thursday by the Office of Personnel Management includes a portion of the 4.2 million records -- including Social Security numbers -- compromised in an earlier breach reported last month.

The total figure now stands at about 22.1 million individuals affected by the two cyberattacks.

ABC News and The National Journal first reported the latest figures prior to the announcement. The AFP news agency confirmed a short time after.

The federal agency vets thousands of prospective employees every year for classified and secure work within the US government. Some officials have privately claimed China was behind the first attack, though the US government has not yet publicly commented on the record.

In an updated statement published Thursday, the OPM said the second breach was discovered in the wake of the earlier attack.

It's said that "background investigation records of current, former, and prospective Federal employees and contractors" were taken in the breach, including 1.1 million fingerprint records. The agency said "some information" regarding mental health and financial history provided by applicants and people contacted during background investigations may have been taken.

In the wake of the breach, officials have already expressed their concern that the entire affected workforce of the US government may be vulnerable to blackmail or pressure from other governments or private industry.

The agency said that applicants who applied prior to 2000 were "less likely" affected by the breach.

Notifications of those individuals have not yet begun, the agency said.

Correction: The original story miscalculated the overall affected number of people. The correct number is 22.1 million. The headline and story has been changed

Editorial standards