After weeks of waiting, U.S. officials finally confirmed yesterday (July 9) the approximate number of people exposed by the recent cyber incident involving federal background investigation data that took place earlier this year.
According to the U.S. Office of Personnel Management’s interagency forensics investigation, hackers made off with the sensitive information of 21.5 million individuals.
The staggering amount of data the hackers stole, as well as how highly sensitive the information is, lays out the truly enormous scope of the attacks.
In an agency release outlining the details of the investigation results, OPM said: “Following the conclusion of the forensics investigation, OPM has determined that the types of information in these records include identification details such as Social Security Numbers; residency and educational history; employment history; information about immediate family and other personal and business acquaintances; health, criminal and financial history and other details.”
“Some records also include findings from interviews conducted by background investigators and fingerprints. Usernames and passwords that background investigation applicants used to fill out their background investigation forms were also stolen,” the statement continued.
OPM officials also confirmed that its investigation into this and a separate but smaller attack on the agency’s database in April, which compromised the information of some 4.2 million people, were executed by the same “actor.”
The new revelation shows there was an overlap in the breaches. The roughly 3.6 million people whose data was stolen in the personnel records breach also were compromised during the background check hack, bringing the total number affected by the twin cyberattacks to 22.1 million, an OPM representative told NBC News.
In an effort to help the millions who have been adversely affected by the attacks, OPM reported the steps it will take to right the wrongs that have taken place. The office will offer a comprehensive suite of monitoring and protection services to individuals whose sensitive information was compromised.
OPM’s statement said the portfolio of protection services will include:
- Full service identity restoration support and victim recovery assistance
- Identity theft insurance
- Identity monitoring for minor children
- Continuous credit monitoring
- Fraud monitoring services beyond credit files
The suite of services is designed to specifically address the potential risks created by this incident and will be available at no charge for at least three years.