The U.S. Office of Personnel Management has confirmed that hackers have stolen sensitive data, such as Social Security numbers, for around 21.5 million people, most of whom underwent security clearance background checks since 2000. This is on top of the 4.2 million who had their data stolen in a separate but related incident.
Out of those exposed, around 19.7 million had applied for security clearances, on top of 1.8 million who were nonapplicants, but were rather spouses or other people that lived with the applicants.
"It's not just my identity that's affected," said FBI director James Comey to the L.A. Times. "I've got siblings. I've got five kids. All of that is in there."
It is still not known exactly who conducted the hack, however reports from last week by The New York Times suggested that Chinese hackers were behind the theft of data. Previously, China denied involvement in the hack. Despite this, China is a chief suspect, as identified by the U.S. government.
The hacking incident has outraged government officials and members of the Congress, mostly because of the fact that the OPM had failed for years to take proper precautions in updating its security software.
"You failed utterly and totally," said Rep. Jason Chaffetz, R-Utah, a Republican committee chairman. "They recommended it was so bad that you shut it down and you didn't."
While anyone who underwent a background check through the OPM since 2000 is highly likely to have had their data compromised, it is also possible for some who underwent background checks before 2000 to have also been affected. Those affected were almost all people who had worked, work now, or who tried to work for the U.S. government.
Apart from Social Security numbers, some records included things like fingerprints, usernames and passwords used to fill out application forms. Mental health records and financial histories, however, were reportedly stored in separate systems and were not compromised by the hack.
Despite the lack of attention that the OPM paid to security, the service has announced a number of steps that it will take to help those affected by the hack. For example, it will offer identity theft insurance, monitoring for credit and fraud, and so on.
Not only that, but the service will also send out notification packages to those who had their data compromised, including "educational materials and guidance to help them prevent identity theft, better secure their personal and work-related data and become more generally informed about cyber threats."
The investigation to find out exactly who conducted the hack is still under way, but the hack also serves as a lesson to those handling sensitive information - it is extremely important to keep security software up to date.