Data breaches at the U.S. government's personnel management agency by hackers, with suspicions centering on China, involved millions more people than previously estimated, U.S. officials said on Thursday.
The Office of Personnel Management (OPM) said the stolen data included Social Security numbers and other sensitive information on 21.5 million people who have undergone background checks for security clearances.
That is in addition to data on about 4.2 million current and former federal workers that was stolen in what the OPM called a "separate but related" hacking incident. Because many people were affected by both hacks, a total of 22.1 million people were affected, or almost 7 percent of the U.S. population.
Those exposed included 19.7 million who applied for the clearances, plus 1.8 million non-applicants, mostly spouses or co-habitants of applicants, the agency said. The breach had already been considered one of the most damaging on record because of its scale and, more importantly, the sensitivity of the material taken.
The United States has identified China as the leading suspect in the massive hacking of the U.S. government agency, an assertion China's Foreign Ministry dismissed as "absurd logic."
Asked during a conference call with reporters on Thursday whether China was responsible, a White House National Security Council official, Michael Daniel, said "we're not really prepared to comment at this time on the attribution behind this event."
Daniel, special assistant to the president and cybersecurity coordinator at the National Security Council, said that "at this point the investigation into the attribution of this event is still ongoing and we are exploring all of the different options that we have."
The incidents have outraged members of Congress and worried the millions of Americans affected since they were revealed last month. Some lawmakers have called for the resignation of Katherine Archuleta, the OPM director.
AGENCY CHIEF WILL NOT RESIGN
Archuleta said neither she nor OPM chief information officer Donna Seymour would be resigning. "I am committed to the work that I am doing at OPM," Archuleta told reporters. "I have trust in the staff that is there."
OPM said in a statement that its investigation had found no information "at this time" to suggest any misuse or further dissemination of the information stolen from its systems.
It said some records included findings from interviews conducted by background investigators and about 1.1 million include fingerprints.
Background investigation records contained some information on mental health and financial history provided by security clearance applicants and others contacted during their investigations. OPM said there was no evidence that separate systems storing information on health, financial, payroll and retirement records of federal employees were affected by the hacking.
OPM said it is highly likely that anyone who went through a background investigation after 2000 was affected by the cyber breach. Those who underwent background checks before 2000 might be impacted but it is less likely, the personnel agency said.
The Social Security numbers are just the tip of the iceberg.
The critical information, which was not encrypted, involves a complete rundown of the personal lives of some 90 percent of applicants for security clearances, mainly excepting most undercover CIA agents.
That includes drug use, romantic histories and close friends abroad of those in the military, National Security Agency (NSA) and sensitive State Department posts, among many others, essentially a road map for what weaknesses might be used for blackmail by a foreign power.
Though not attributing the attack in public to China, investigators have told Reuters that their prime suspect is a team tied to that nation's Ministry of State Security. The evidence includes a specific piece of malicious software and the use of a stolen digital certificate, both of which had been seen in only a small number of attacks that had been tied to the same group.
Dmitri Alperovitch, chief technology officer at security firm CrowdStrike, said his company's analysis of data about the breach provided by the government made it clear that one or another part of the Chinese government directed the hacking.
"It's a tremendous coup for China," Alperovitch said.