25 million people had data stolen in hack of federal files, officials say

The Office of Personnel Management building in Washington. The OPM announced Thursday that personal data of 25 million people were stolen.

The Office of Personnel Management building in Washington. The OPM announced Thursday that personal data of 25 million people were stolen.

(Shawn Thew / EPA)

The sensitive personal information of 25 million people was stolen in two related hacks into government personnel files in recent months, officials said Thursday, a far larger total than previously acknowledged.

The information belonged to current and former federal workers as well as people who had applied for government jobs or done federal contracting work, the Office of Personnel Management said.

The Social Security numbers of 21 million people were stolen -- 19 million who had applied to have background investigations done, and another 2 million or so who were merely relatives of the applicants. Addresses, family members’ names, health and financial data and criminal histories were also among the information stolen, according to the agency. That’s in addition to the 4 million people whose information was stolen in the other attack.


The hackers got away with a “boatload” of highly confidential personal details, FBI Director James Comey said while meeting with reporters at the bureau’s headquarters Thursday. Stolen forms encompass personnel records and personal relationships, as well as trips overseas and contacts with people living abroad. That means the fallout from such attacks can “quickly grow far beyond the number of federal employees,” Comey said.

“It’s a treasure trove of information,” he said, “about everybody who has worked, tried to work or works now for the United States government.”

He said, “just imagine if you were a foreign service intelligence agent, and had that kind of data.”

OPM Director Katherine Archuleta declined Thursday to say who was responsible for the attacks, but other U.S. officials have said China is behind the extraordinary breach. Beijing has denied involvement.

The attackers broke into OPM’s system with the user name of a government contractor, and then used that door to move to systems in the Department of the Interior.

Beginning in spring of 2014 and ramping up over that summer, the attacks were “separate but related,” with the same actor moving between different networks, said Andy Ozment, assistant secretary for cybersecurity and communications at the Department of Homeland Security. They weren’t discovered until April of this year.

Comey had testified before lawmakers Wednesday and warned as he has before about the danger of cyberattacks. He and other federal law enforcement officials stress that such an attack could shut down the U.S. economy, cripple the country’s computer grid and unplug its utility systems.

He also lamented that the OPM breach compromised his own personal information as well and that the hacker likely had data about where he’d lived and traveled as well as his family’s information.

“It’s not just my identity that’s affected,” he said. “I’ve got siblings. I’ve got five kids. All of that is in there.”

Comey put it this way: “It is a huge deal.”

Archuleta credited her office with detecting and cutting off the attacks. Asked whether she was considering resigning amid the investigation, she said she is not.

“We have a very aggressive push” underway to secure the networks, she said, adding that “we’ll continue to do so.”