OPM says second breach compromised 21 million records

This new figure is in addition to the 4.2 million from June

office of personnel management
REUTERS/James Lawler Duggan

On Thursday, House Oversight Committee Chairman Jason Chaffetz revealed new facts in the OPM story, focused on a second data breach that impacts 21.5 million people.

The incident exposed Social Security Numbers and biometric data for federal employees and in some cases their families. OPM became aware of the second breach while investigating the first one disclosed in June.

At the time, the OPM said that the breach impacted the personal information of 4.2 million current and former federal employees. This second incident began in May of 2014 and went undiscovered for a year, however the OPM has stated that patches applied to systems in January halted the extraction of data.

The second breach was hinted at during hearings in June, but Congressman Chaffetz released official details on Thursday.

His posts on Twitter report that OPM says 21.5 million people were impacted, adding that 19.5 million of them had applied for security clearance.

A follow-up message said that 1.8 million non-applicants (family members) were also affected. A final message says that 1.1 million biometric files were compromised, but that it wasn't clear if intelligence workers were part of that set.


Congress tweets updated OPM data


In late June OPM suspended a system used for background checks after a flaw was discovered in the Web-based application. While there was no evidence that it was hacked, the agency pulled it out of caution.

The agency has also had to deal with legal issues stemming from the breach, as a federal employees union filed a lawsuit alleging their negligence led to the breach reported earlier that month.

Shortly after the first OPM breach was announced, the FBI published a memo disclosing malware used by actors that have "compromised and stolen sensitive business information and Personal Identifiable Information (PII)."

While the OPM was not mentioned by name in the high confidence alert, the key link to the incident was the malware itself – Sakula. Salted Hash covered the memo in a previous story.

This story will be updated as the situation develops.

Copyright © 2015 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)