The U.S. Office of Personnel Management confirmed Thursday that sensitive information, including the Social Security numbers of 21.5 million individuals and fingerprints in some cases, was stolen in a hack on its database connected to an attack disclosed last month.
That number shares some overlap with the 4.2 million affected in a "separate but related" breach announced in June and includes 19.7 million people who applied for a background investigation and 1.8 million nonapplicants, OPM said.
The agency's investigation added that no information at this time led it to suspect any other misuse or further dissemination of the information stolen from its systems. While speculation surrounding prior attacks on the OPM pointed to China-based hackers, a White House official said he was not prepared to comment on who was behind the most recent attack, according to Reuters.
Office of Personnel Management Director Katherine Archuleta said she "initiated a comprehensive review of the security of OPM's IT systems to identify and immediately mitigate any other vulnerabilities that may exist."
To retroactively protect those exposed in the breach, OPM announced it would be working with the Department of Defense and a "private sector firm specializing in credit and identity theft monitoring" to observe potential threats for three years at no charge.
Initial reports after a separate but related hack disclosed in June indicated the security breach was limited to 4 million current and former U.S. government workers.
House Oversight and Government Reform Committee Chairman Jason Chaffetz derided OPM leadership for failing to correct vulnerabilities and security weaknesses.
"Their negligence has now put the personal and sensitive information of 21.5 million Americans into the hands of our adversaries," Chaffetz said in a statement. "Such incompetence is inexcusable."
The OPM determined Social Security numbers, residency and educational history of some individuals were exposed in the most recent hack. Stolen fingerprint, mental health and financial data were said to be limited to individuals seeking a security clearance during background investigations.