X

Over 22M Social Security numbers stolen in OPM hacks, agency says

Up until now, the number of people affected by recent hacks of US government databases was a mystery. Also compromised were more than 1 million fingerprints.

Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
4 min read

Katherine Archuleta, director of the Office of Personnel Management, at a House Oversight and Government Reform Committee hearing on Capitol Hill. Mark Wilson/Getty Images

If you were affected by recent hacks on US government databases, you're in good company.

The federal government announced Thursday that the total number of people affected by cyberattacks on the US government's personnel office was more than 22 million. The agency said 21.5 million Social Security numbers were stolen from one source and 4.2 million from another. Both attacks were announced in June.

Some people were hit with a double whammy, having their information compromised in both breaches, leading to the government's total figure of 22.1 million stolen Social Security numbers.

The breadth of the attack exceeds some of the worst estimates that government officials and security experts had shot around in the past month, showing that the government's databases were an unsecured stockpile of valuable information when the attack occurred. It's the largest blemish on the government's record of controlling its systems, and follows a string of attacks that includes the hacking of the CIA's public website, the interception of White House emails and the breach of a military Twitter account. A previous attack blamed on China attempted to intercept information on federal employees with top secret security clearance in March 2014, according to The New York Times.

FBI Director James Comey purportedly estimated that 18 million people were affected by the attacks on OPM databases, according to CNN, which prompted US Congressman Jason Chaffetz (R-Utah) to grill Office of Personnel Management Director Katherine Archuleta on the total number at a congressional hearing in late June. Archuleta declined to give a number at the time, saying the agency was still sorting out how many people's Social Security numbers were in the forms.

Attackers lifted the 21.5 million Social Security numbers from stolen background check documents. About 1.8 million of the people caught up in the hack were married to or lived with the applicants seeking a security clearance, the Office of Personnel Management announced Thursday.

And it got even more invasive than that.

"As noted above, some records also include findings from interviews conducted by background investigators and approximately 1.1 million include fingerprints," the agency said in its press release.

The two database breaches were "related," an OPM spokesman said, and added that the FBI is still determining who was responsible for hacking the background-check documents. The first hack has been tied by some in the federal government to Chinese hackers, but few further details have emerged.

The OPM press release also detailed the assistance the government will provide those affected, including credit and fraud monitoring, identity theft insurance and "full service identity restoration support and victim recovery assistance." The OPM spokesman said the agency was still contracting these services out and did not have an estimate of how much it would cost taxpayers.

Unions representing the federal employees have criticized the amount of information and assistance provided by OPM. Two unions have sued the federal government on behalf of their members, and before the agency announced the second, larger hack, the American Federation of Government Employees accused the government of downplaying the number of people affected and the extent of the compromised records.

"There is no information at this time to suggest any misuse or further dissemination of the information that was stolen from OPM's systems," the agency's release said. But the impact of the lost information will be impossible to guess, security experts said.

"While we haven't seen the personal information being used yet, this is to be expected," said Chris Wysopal, a security expert at Veracode, a company that checks source code used in 90 percent of software applications for known flaws. "It's rare that information that can be used for blackmail or as precursor information for phishing attacks would be seen being used."

In fact, Wysopal said, that we haven't seen the hackers tip their hand and identify themselves by using the data shows their level of sophistication.

"I was just talking to a federal officer last week," said Stephen Coty, an executive at Alert Logic and security researcher. "He knows his information's in there, and so are all his colleagues." Indeed, Comey -- the FBI director -- told National Journal reporters that he knows his information was compromised in the hack.

The breach of data on federal agents, including extremely personal background-check interviews, at the FBI and beyond gives hackers tools for blackmail and espionage, Coty said.

"It really puts them in harms way more than ever before," he said "It's already been tough to be in federal law enforcement."

Update, 3:25 p.m. PT: Adds more background and expert comment on the OPM hacks.