(Editor's note: Several hours after the publication of this report, Office of Personnel Management Director Katherine Archuleta submitted her resignation, and President Obama accepted it.)
At least 21 million Social Security numbers were compromised in the second massive cyberbreach of federal records – reportedly executed by China – which exposed sensitive information of U.S. intelligence and military personnel.
Advertisement - story continues below
The first major hack reported in June comprised a separate 4.2 million Social Security numbers.
The Office of Personnel Management, the agency the runs the twice hacked database, announced Thursday that the compromised Social Security numbers include not only those belonging to prospective, current and past employees, but also the numbers of family members and other third parties.
TRENDING: Biden admin cancels $37 million in student debt for just over 1,000 people
Of the 21.5 million records accessed, 19.7 million belonged to applicants seeking federal security clearances, according to OPM.
Another 1.8 million records belonged to applicants' family members and other individuals.
Advertisement - story continues below
The hackers also had access to 1.1 million sets of fingerprints in addition to sensitive background information, including:
- job history,
- addresses,
- drug and criminal histories,
- health and mental conditions,
- educational history,
- information about immediate family members (names, addresses, birthdates, Social Security numbers),
- information about personal and business acquaintances,
- financial history
- information from background investigations,
- usernames and passwords used to fill out investigation forms and other information.
Any person who underwent a federal background check after the year 2000 is "highly likely" to have had the personal information compromised by the massive hack, OPM said Thursday. However, individuals investigated before 2000 may still be affected by the breach.
While OPM has offered credit monitoring to the federal employees and security-clearance applicants, the government considers it to be applicants' responsibility to alert third parties listed on the background check forms.
Those third parties will not be offered the identity-protection services.
Advertisement - story continues below
According to OPM Director Katherine Archuleta's testimony before Congress, the massive May 2014 hack was not discovered until May 2015. Archuleta was the political director for President Obama's 2012 re-election campaign.
Andy Ozment, assistant secretary for cybersecurity and communications at the Department of Homeland Security, told Congress that a January security update stopped most of the data extraction.
In June, federal contractor CSID was tasked with informing and providing identity protection services to the 4.2 million employees impacted by the first hack. However, a company spokesman told the National Journal that CSID won't be involved in the process for the larger data breach.
Advertisement - story continues below
CSID has been criticized after federal employees who called with questions about identity protection services were forced to wait for hours for answers.
OPM claims there is no apparent indication that the hacked information has been "misused" or shared.
On Wednesday, the Senate Intelligence Committee asked FBI Director James Comey to provide a specific number of individuals impacted by the breach, but he refused to give one. But Comey confirmed the hack was "enormous" and included his own personal information.
Congressmen on both sides of the aisle have demanded the resignations of OPM Director Katherine Archuleta and OPM Chief Information Officer Donna Seymour since the hackings were discovered in June.
On Thursday, House Oversight Chairman Jason Chaffetz, R-Utah, repeated his call for the two "to resign or be removed" from their positions.
"Since at least 2007, OPM leadership has been on notice about the vulnerabilities to its network and cybersecurity policies and practices," Chaffetz said. "Director Archuleta and Ms. Seymour consciously ignored the warnings and failed to correct these weaknesses. Their negligence has now put the personal and sensitive information of 21.5 million Americans into the hands of our adversaries. Such incompetence is inexcusable. Again, I call upon President Obama to remove Director Archuleta and Ms. Seymour immediately."
Sen. Mark Warner, D-Va., who sits on the Senate Select Committee on Intelligence, demanded that Archuleta step down.
"The technological and security failures at the Office of Personnel Management predate this director's term, but Director Archuleta's slow and uneven response has not inspired confidence that she is the right person to manage OPM through this crisis," Warner said in a Thursday night statement. "It is time for her to step down, and I strongly urge the administration to choose new management with proven abilities to address a crisis of this magnitude with an appropriate sense of urgency and accountability."
Rep. Barbara Comstock, R-Va. – whose own information was compromised in the breach – echoed Warner's call.
Comstock said Archuleta showed "complacency, apathy … and incompetence" after the hacking was discovered.
"It goes to the top," she told the National Journal. "This is a failure of leadership on her part, and if the president does not have the leadership to do this, I think she should step aside."
Reps. Ted Lieu and Jim Langevin, both Democrats, called for Archuleta's removal.
Lieu and Rep. Steve Russell, R-Okla., are reportedly drafting legislation that would task another agency "that has a better grasp of cyberthreats" with handling the security-clearance database instead of OPM.
However, Archuleta, in a Thursday press call, claimed she and her staff should be commended for their efforts to improve cybersecurity since November 2013.
"It is because the efforts of OPM and its staff that we've been able to identify the breaches," she said.
Archuleta said she and Seymour will not resign.
Also on Thursday, a White House spokesman re-confirmed support for Archuleta.
